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Chapter  1 

Introduction 


In  this  thesis  we  address  the  problem  of  how  to  give  acceptable  formal  semantics  for  concurrent 
programming  languages,  that  is,  how  to  give  a  precise  mathematical  formulation  of  what  programs 
in  various  such  languages  mean.  We  take  a  broad  view  of  what  constitutes  a  programming  language 

for  example,  notations  that  describe  digital  circuits  or  Petri  nets  we  consider  programming 
languages,  as  well  as  notations  that  describe  systems  of  concurrent  processes  interacting  via  shared 
variables  or  message-passing.  It  is  important  that  we  have  a  formal  semantics  for  any  programming 
language  we  use,  for  the  following  reasons: 

1.  It  is  needed  in  order  to  precisely  define  the  language. 

2.  It  is  needed  to  provide  some  basis  for  deciding  the  correctness  of  implementations  of  the 
language. 

3.  It  is  needed  to  provide  a  foundation  for  methods  of  analyzing  and  reasoning  about  the  behavior 
of  programs  in  the  language. 

In  this  thesis  we  shall  not  concern  ourselves  with  2.  and  3.  above,  but  shall  concentrate  on  the  prob¬ 
lem  of  specifying  the  semantics  of  concurrent  programming  languages  and  showing  the  semantics 
to  be  ‘acceptable*  in  some  sense. 


1.1  What  kind  of  semantics? 

h^  order  to  be  considered  acceptable  ,  a  formal  semantics  for  a  programming  language  should 
satisfy  the  following: 

1.  It  should  formalize,  in  some  way,  our  intuitive  notions  of  what  a  program  means. 

2.  It  should  be  appropriately  abstract,  i.e.  it  should  distinguish  between  two  programs  if  and 
only  if  we  would  feel  them  to  differ  in  some  important  manner. 

3.  It  should  be  capable  of  supporting  modular  reasoning  about  programs.  This  means  that  it 
should  be  possible  to  prove  properties  of  a  program  (or  subprogram)  by  breaking  it  into  parts 
and  separately  proving  properties  of  these  parts. 

We  will  discuss  one  more  criterion  for  acceptability  later. 

There  are  at  present  three  major  approaches  to  programming  language  semantics:  operational 
semantics,  axiomatic  semantics,  and  denotational  semantics.  Loosely  speaking,  an  operational  se¬ 
mantics  defines  a  machine  that  executes  the  program.  Since  an  operational  semantics  will  generally 
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satisfy  neither  criterion  2.  nor  3.,  we  forego  this  approach.  An  axiomatic  semantics  is  a  logical  sys¬ 
tem  that  is  used  to  prove  properties  of  programs.  A  denotation al  semantics  is  a  semantic  function 
that  assigns  to  any  program  in  the  language  some  mathematical  object,  called  the  program’s  de¬ 
notation;  this  function  is  defined  by  recursion  on  the  syntactic  structure  of  the  program,  and  thus 
satisfies  criterion  3. 

As  is  to  be  expected,  an  axiomatic  semantics  is  usually  easier  to  use  than  a  denotational 
semantics  for  proving  properties  of  programs,  since  it  includes  a  language  for  expressing  program 
properties  that  is  designed  to  be  as  convenient  as  possible.  A  denotational  semantics,  however,  can 
often  give  more  insight  into  the  semantic  issues  of  a  language.  It  can  also  serve  as  a  foundation  for 
an  axiomatic  semantics,  justifying  the  axioms  and  proof  rules  and  providing  a  ready-made  proof  of 
the  consistency  of  the  axiom  set  used. 

The  approach  we  will  take  is  essentially  a  denotational  one:  we  give  the  semantics  of  a  pro¬ 
gramming  language  in  terms  of  a  semantic  function.  However,  it  bears  some  resemblance  to  the 
axiomatic  approach  in  that  we  will  make  heavy  use  of  the  language  of  temporal  logic  [17,4]  in 
defining  our  semantic  functions.  We  will  also  depart  from  a  strictly  denotational  approach  in  that 
we  may  define  our  semantic  functions  using  syntactic  transformations  on  programs  or  subprograms, 
and  not  simply  by  recursion  on  the  syntactic  structure  of  a  program. 

Example*  Since  we  have  chosen  a  denotational  approach,  we  give  a  simple  (and  much-used) 
example  of  a  denotational  semantics.  The  language  is  that  of  arithmetic  expressions,  given  by  the 
following  grammar: 

E  N\E-j-E\E  —  E  \  E  *  E  \  Ej  E  |  ifz  E  then  E  else  E 

(N  is  the  set  of  numerals.)  We  give  the  denotational  semantics  of  this  language  as  the  function 
£ :  E  — *  Z  defined  by 

£  [raj  =  n  where  n  is  the  numeral  representing  the  integer  n 
£  [ei  +  ea]  =  £  [ei]  +  £  {e^j 


f[ifz .  th„  s  ^[']#° 

1.2  What  is  a  concurrent  program? 

Having  decided  upon  an  essentially  denotational  approach,  we  must  now  decide  what  kind  of 
an  object  a  concurrent  program  should  denote.  Implicit  in  the  previous  statement  is  that,  in  this 
thesis,  we  propose  a  uniform  approach  to  the  semantics  of  concurrent  programming  languages  — 
we  wish  programs  in  any  concurrent  language  to  denote  the  same  kind  of  object.  The  reason  for 
this  is  a  desire  for  conceptual  economy  and  generality;  we  do  not  want  to  have  to  start  from  scratch 
every  time  we  look  at  a  new  language.  In  addition,  such  a  uniformity  is  bound  to  facilitate  the 
introduction  of  useful  new  programming  constructs  into  a  language  without  wreaking  havoc  with 
the  semantics.  An  example  of  how  an  insufficiently  general  approach  can  cause  problems  in  this 
regard  is  the  various  denotational  semantics  of  CSP  [12]  proposed  in  [7,11,24];  there  is  no  evident 
way  of  extending  these  to  include  the  probe  function  of  A.  J.  Martin  [18],  which  is  a  very  useful 
extension  to  CSP. 

We  note  that  a  common  notion  of  concurrent  languages  is  that  their  programs  may  be  viewed 
as  describing  a  system  of  (concurrently)  interacting  objects,  which  we  shall  henceforth  call  agents. 
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This  may  in  fact  be  taken  as  an  informal  definition  of  what  we  mean  by  a  concurrent  language. 
For  a  digital  circuit  the  agents  will  be  logic  gates,  flip-flops,  etc.;  for  a  CSP  program  the  agents 
will  be  the  various  communicating  processes.  The  denotation  of  a  concurrent  program  should  then 
describe  the  behavior  of  the  indicated  system. 

Physical  systems  are  generally  described  by  some  set  of  time-varying  quantities,  which  we  shall 
call  the  state  of  the  system.  Formally,  there  is  some  function  /  such  that  /( t)  is  the  state  of 
the  system  at  time  t.  /  is  usually  not  given  directly;  instead,  a  set  of  constraints  on  /  are  given 
(e.g.,  differential  equations  involving  /,  boundary  conditions,  etc.),  and  these  are  used  to  derive  / 
explicitly  or  to  deduce  additional  information  about  /.  As  examples,  if  the  system  in  question  is 
an  electrical  circuit  then,  for  all  t,  /( t)  is  a  vector  of  voltages  and  current  flows  at  various  points 
in  the  circuit,  and  if  the  system  is  an  oscillating  string  then,  for  all  t,  /(t)  is  a  continuous  function 
giving  the  displacement  of  each  point  on  the  string. 

The  systems  we  are  interested  in  may  be  considered  discrete  abstractions  of  physical  systems. 
By  'discrete’  we  mean  that  any  finite  interval  of  time  may  be  partitioned  into  a  finite  number  of 
sub-intervals  over  which  the  system  state  is  constant.  Formally,  there  is  some  denumerable  set 
T  =  {t0,ti, . . .}  of  real  numbers  such  that 

1.  to  =  0  and  t <  tt*+1  for  all  *; 

2.  for  all  t  there  exists  some  i  s.t.  tt*  >  t; 

3.  /( t)  =  f(ti)  for  all  tt-  <  t  <  ti+i. 

Condition  2.  guarantees  that  any  finite  interval  of  time  contains  only  a  finite  number  of  elements 
of  T,  and  3.  says  that  the  state  may  change  only  at  times  in  T.  Note  that  all  T  satisfying  1-3  have 
a  common  subset,  consisting  of  0  and  the  times  at  which  the  state  changes. 

For  any  such  T  we  define  the  infinite  sequence 

a(/,T)  =  /(t0)/(tx)/(t2).... 

(We  write  c=*  for  ‘is  defined  to  be*.)  If  we  are  not  interested  in  knowing  the  times  at  which  the 
state  changes,  then  <r(/,T),  which  we  call  the  complete  trace  of  the  system  with  respect  to  T,  fully 
describes  the  behavior  of  the  system.  We  define  a  complete  trace  of  the  system  to  be  any  element 
of 

{^(Z,  T)  |  T  satisfies  conditions  1—3}. 

It  is  easily  verified  that  this  set  is  always  nonempty.  The  complete  traces  of  a  system  are  all 
equivalent  in  the  sense  that  they  differ  only  in  the  number  of  consecutive  instances  of  the  same 
state. 

In  most  cases  the  description  of  a  system’s  behavior  will  not  uniquely  determine  /.  For  example, 
in  giving  the  semantics  of  a  notation  intended  to  describe  asynchronous  digital  circuits  we  might 
wish  to  make  no  (or  limited)  assumptions  about  the  relative  speeds  of  the  components,  and  no 
assumptions  about  how  the  values  on  the  input  lines  will  change.  The  denotation  of  a  program 
in  this  notation  should  then  be  a  set  of  traces  (sequences),  with  the  interpretation  that,  whatever 
the  relative  speeds  of  the  components,  whatever  the  behavior  of  the  input  lines,  etc.,  any  complete 
trace  of  the  system  described  is  in  this  set. 

In  general  then,  a  concurrent  program  will  denote  a  set  of  infinite  traces,  with  the  interpretation 
that  any  complete  trace  of  the  system  described  is  in  this  set.  Equivalently,  a  concurrent  program 
denotes  a  predicate  on  traces  that  is  satisfied  by  any  complete  trace  of  the  system. 
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1.3  Statement  of  intent 


The  above  leads  us  to  one  final  criterion  of  acceptability  for  any  formal  semantics  of  a  concurrent 
language:  the  denotation  of  any  program  should  be  a  nonempty  trace  set.  Let  T  be  the  trace  set 
denoted  by  some  program  P.  There  would  be  severe  consequences  if  we  allowed  T  to  be  empty; 
in  particular,  in  reasoning  about  the  system  described  by  our  program  we  would  begin  with  the 
false  premiss  ‘t6T’  (t  being  an  arbitrary  complete  trace  of  the  system),  and  hence  find  ourselves 
miraculously  capable  of  proving  any  statement  whatsoever.  If  the  semantics  we  give  for  a  concurrent 
language  is  to  be  used  to  justify  some  proof  system  for  it,  it  is  necessary  that  the  trace  set  denoted 
by  any  program  be  nonempty  for  the  proof  system  to  be  sound. 

We  may  now  state  more  precisely  the  aim  of  this  thesis.  It  is  twofold: 

1.  To  present  an  approach  to  the  semantics  of  concurrent  programming  languages  in  which  the 
denotation  of  a  program  is  always  a  nonempty  set  of  traces,  and  to  give  such  a  semantics  for 
several  concurrent  programming  languages. 

2.  To  show  how  it  may  be  guaranteed  that  the  trace  set  denoted  by  a  concurrent  program  is 
nonempty. 

1.4  Comparison  with  other  work 

The  approach  to  concurrent  semantics  presented  herein  differs  from  other  approaches  that  use 
traces,  such  as  Milner’s  CCS  [19],  the  failures  model  and  other  models  of  CSP  [12,7,11]  and  trace 
theory  [23,22],  in  a  number  of  ways: 

1.  We  consider  the  notion  of  a  system’s  state  to  be  more  fundamental  than  the  notion  of  an 
action;  hence  we  use  sequences  of  states  instead  of  sequences  of  actions. 

2.  There  is  no  synchronization  of  actions  performed  by  distinct  agents.  As  we  shall  see  in 
Chapter  4,  this  is  not  necessary  to  describe  the  tight  synchronization  used  in  languages  such 
as  CSP. 

3.  We  focus  on  complete  traces  of  a  system  instead  of  partial  traces,  i.e.  traces  describing  the 
system’s  evolution  up  to  some  arbitrary  but  finite  point  in  time.  Many  interesting  liveness 
properties,  such  as  fairness,  cannot  be  adequately  expressed  in  terms  of  partial  traces  [5]. 

4.  We  do  not  shy  away  from  infinities.  Rather  than  limit  ourselves  to  finite  traces  constructed 
from  a  finite  alphabet,  we  deal  with  the  consequences  of  allowing  having  traces  and  infinite 
alphabets.  Neither  do  we  unpose  restrictive  closure  requirements  on  our  sets  of  traces  as  in 

[24,1]- 

This  work  is  most  closely  related  to  the  work  in  linear-time  temporal  logic  [17,2,13,3],  which  we 
shall  simply  refer  to  as  ‘temporal  logic’.  Temporal  logic  is  a  logic  for  reasoning  about  sequences  of 
states,  and  its  language  is  a  convenient  one  for  expressing  many  predicates  on  such  sequences. 

The  early  work  in  temporal  logic  (as  in  [17])  gave  the  semantics  of  a  program  as  a  set  of  temporal 
logic  axioms.  These  axioms  were  justified  by  giving  an  operational  semantics  that  produced,  for 
any  program,  a  set  of  traces,  all  of  which  satisfied  the  axioms  corresponding  to  the  program. 
Unfortunately,  the  semantics  was  non-compositional.  More  recent  work  [2,13,3]  has  focused  on 
giving  compositional,  axiomatic  semantics  using  temporal  logic.  However,  these  efforts  have  not 
adequately  addressed  the  issue  of  the  consistency  of  their  axiom  sets.  Lamport  in  [13]  states 
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that  the  axioms  corresponding  to  a  program  in  his  approach  may  indeed  be  inconsistent,  but  he 
considers  this  to  be  unimportant.  Barringer,  Kuiper  and  Pnueli  in  [2]  justify  their  proof  rule  for 
recursive  procedure  calls  by  stating  that  the  semantics  of  a  recursive  procedure  definition  is  the 
maximal  fixed-point  of  a  certain  temporal  logic  formula,  but  do  not  prove  that  there  exists  any 
trace  satisfying  this  maximal  fixed-point.  A  similar  comment  applies  to  [3l. 
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Chapter  2 

Predicates  on  Traces 


In  this  chapter  we  present  a  notation  for  expressing  predicates  on  traces.  It  is  a  variant  of 
the  past-time  temporal  logic  notations  presented  in  [15,4].  We  shall  use  this  notation  throughout 
the  thesis,  and  in  particular  we  shall  use  it  in  this  chapter  to  give  the  semantics  of  a  very  simple 
programming  language,  similar  to  the  one  use  by  Chandy  and  Misra  in  [6]. 

2.1  Traces 

First  of  all  we  define  the  operations  and  predicates  we  shall  use  in  discussing  traces.  A  trace  is 
a  sequence  of  elements  taken  from  some  nonempty  set.  <9+  is  the  set  of  all  finite  traces  of  nonzero 
length  formed  from  (nonempty)  set  Q,  Qu  is  the  set  of  all  infinite  traces  formed  from  Q,  and  Q°° 
is  U  <9W.  e  is  the  unique  trace  of  zero  length. 

Definition:  Given  veQ+U  {e},  w  €  Q°°  U  {e}  and  q,q'  eQ  s.t.  q  ±  q', 

•  vw  is  the  catenation  of  traces  v  and  w; 

•  (vq)  •  ( qw )  =  vqw  and  (vg)  •  ( q'w )  =  vqq'w, 

•  is(qw )  =  q  and  fs(vq)  =  q. 

The  •  operator  is  a  form  of  catenation  which  coalesces  the  final  state  of  its  first  operand  and 
initial  state  of  its  second  operand  if  they  are  the  same  state.  is(t>)  is  the  initial  state  of  trace  v,  and 
fs(v)  is  the  final  state  of  v  if  v  is  finite. 

Definition:  For  all  v,  w  €  Q°°,  v  <  w  iff  v  =  w  or  v  is  a  finite,  initial  subsequence  of  w,  i.e.  w  —  vv' 
for  some  v'  e  Q°°. 

The  relation  <  is  a  partial  order  on  Q°°  with  the  properties  that  {  v'  \  v'  <  v  }  is  totally  ordered 
for  all  v,  and  every  totally  ordered  V  C  Q°°  has  a  least  upper  bound  in  Q°°  [10],  written  limV". 

Notational  convention:  By  convention,  the  variable  q  (and  q',  etc.)  shall  always  be  understood 
to  be  an  element  of  Q;  the  variables  r  and  s  (and  r',  s',  etc.)  shall  be  understood  to  be  elements  of 
<9+;  and  the  variables  t  and  u  (and  t',  u',  etc.)  shall  be  understood  to  be  elements  of  Qu.  Hence  a 
formula  such  as 

3s,g,i(i?(s,g,t)) 

will  be  understood  to  mean 

3seQ+,qeQ,tGQ“{R{s,q,t)) 
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2.2  A  notation  for  expressing  predicates  on  traces 

In  this  section  we  present  our  notation  for  expressing  properties  of  traces,  and  give  its  semantics. 

2.2.1  The  notation  and  its  informal  semantics 

To  begin  with,  let  V  be  some  infinite  set  of  symbols  which  will  represent  quantifiable  variables, 

i.e.  an  element  v  of  V  will  appear  in  expressions  of  the  form  ‘Vt;  <p’  and  ‘3v  <p\  Then 

Definition:  A  vocabulary  is  a  tuple  W  =  ( B,U,C ),  where 

1-  S  is  a  set  of  symbols  representing  binary  functions; 

2.  U  is  a  set  of  symbols  representing  unary  functions; 

3.  C  is  a  set  of  symbols  representing  constants; 

4.  B,  U,  C  and  V  are  pairwise  disjoint. 

Such  a  vocabulary  W  defines  a  set  of  formulas,  according  to  the  following  grammar: 

E  ::=  EU\EUBE\  Eu  Lb  E 

Eu  ::=  C\V  \U  Eu\LuEu\‘{’EL‘y\‘\’E‘Y\‘l’E‘\> 

EL  ::=  E\E\'EL 
Lb  ::=  ‘A’  |  '=’ 

Lu  ::=  *->’  |  ‘V’V  |  |  ‘0’  |  ‘©’  |  ‘B’  |  ‘ffl’ 

Where  W  is  understood  we  will  just  write  E  for  the  set  of  formulas  of  W,  and  Eu  for  the  formulas 
produced  starting  with  the  second  grammar  rule  above. 

When  writing  formulas  we  will  write  ‘3 v<p\  ‘<px  V  <p2\  Vi  =>  ‘<Pi  &  <pi\  and  ‘<pi  <p2’  as 
abbreviations  for  the  obvious  expressions  containing  ‘V’,  ‘A’, and  '=’,  and  we  will  feel  free  to  use 
all  the  other  common  abbreviations,  such  as  leaving  out  parentheses  when  no  ambiguity  results, 
writing  ‘Vt>  €  S(<p)’  for  ‘Vv(t/  <p)\  etc. 

A  formula  is  assigned  a  value  for  any  pair  ( s,t )  s.t.  s  <  t.  If  t  is  a  complete  trace  of  a  system, 
s  is  the  sequence  of  states  traversed  up  to  some  moment  and  formula  <p  is  assigned  the  value  tt  for 
the  pair  (s,t),  we  say  that  <p  holds  at  that  moment.  Then,  informally, 

•  ‘EHV’’  means  ‘ip  holds  now  and  at  all  times  in  the  future’; 

•  ‘B  if>'  means  ‘xp  holds  now  and  at  all  times  in  the  past’; 

•  {[S]’  means  ‘the  sequence  of  states  so  far  traversed  is  in  S’; 

•  ‘  [TJ  ’  means  ‘the  sequence  of  states  which  will  be  traversed,  beginning  with  the  present  state 
is  in  T’; 

•  ‘®V>’  is  the  value  of  ip  in  the  next  state,  and  if  \p  is  boolean- valued  it  then  means  ‘ip  holds  in 
the  next  state’; 

•  ‘Qtp’  is  the  value  of  ip  in  the  preceding  state,  and  if  ip  is  boolean-valued  it  then  means  ‘ip  held 
in  the  preceding  state’; 
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•  if  there  is  no  preceding  state,  then  Qip  is  false. 

The  meaning  of  V  will  be  explained  later. 

We  introduce  the  following  abbreviations: 

1.  ‘beg'  abbreviates  ‘-i  ©  tt’  (‘this  is  the  initial  state’); 

2.  ‘0<p’  abbreviates  (‘eventually  <p  will  be  true’); 

3.  ‘Qip’  abbreviates  ‘-iB  —xp’  has  been  true’); 

4.  “□£>’  abbreviates  lB<p  A  (V  is  true  at  all  times’); 

5.  ‘O^’  abbreviates  ‘-.CMp’  or  ‘<>p  V  ®<p’  (V  is  true  at  some  time’). 

Example:  ‘<p  holds  in  the  initial  state’  is  expressed  by 

□  (beg  =>•  <p ) 

Example:  ‘If  I  always  holds,  then  whenever  <p  holds,  eventually  ip  holds’  is  expressed  by 

□  I  =>■  □  (<p  =>■  Qip) 

Example:  ‘If  <p  holds  infinitely  often  then  so  does  ip’  (where  by  ‘infinitely  often’  we  mean  that 
there  is  always  a  future  time  at  which  it  holds)  is  expressed  by 

U$tp=>  □  $>ip 

Example:  If  5  C  Q+  and  T  C  Q“,  we  define 

S  •  T  =  {  a  •  1 1  fs(s)  =  is(t)  A  s  e  S  At  eT}. 

Then  the  formula 

Oi\S]  A  LTJ) 

describes  all  and  only  the  traces  in  S  •  T . 

2.2.2  Formal  semantics  of  the  notation 

To  give  the  formal  meaning  of  a  formula,  we  must  first  define  the  notion  of  an  interpretation. 

Definition:  Given  a  vocabulary  W  =  ( B,U,C ),  an  interpretation  of  W  is  a  tuple  ( X,Y,D,M ), 
where  ’  ’  ’ 

1.  X  and  Y  are  nonempty  sets; 

2.  D  D  B,  where  B  =  {tt,ff}; 

3.  Given  any  set  Z,  Zc  is  the  closure  of  Z  under  the  operation  of  tupling,  i.e.  Zc  is  the  smallest 
set  Z'  D  Z  s.t.  (*i, ...,«„)  e  Z'  whenever  zi,...,zneZ'  for  any  n  >  0; 

4.  M  is  a  function  which  maps  each  a  GCuV  to  some  M|aJ  e  Dc  and  each  /  e  B  U  U  to  some 
function  M[/J:  De  Dc. 
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The  elements  of  set  X  above  are  intended  to  represent  time-varying  quantities,  and  Y  the  set 
of  values  they  may  attain,  for  a  system  whose  state  space  (set  of  possible  states)  is  Yxi-y  thus,  if 
the  system’s  state  at  a  certain  moment  is  q.X  — ►  Y,  the  value  of  any  x  E  X  at  that  moment  is 
q(x).  In  our  notation,  we  write  ‘.ip’  for  the  value  of  the  element  of  X  denoted  by  ip. 

We  will  generally  not  fully  specify  the  vocabularies  and  interpretations  we  use,  simply  assuming 
that  the  vocabularies  contain  any  of  the  common  mathematical  symbols  we  may  need,  and  that 
the  interpretations  give  the  appropriate  meanings  to  these  symbols.  For  example,  we  will  feel 
free  to  use  the  symbols  ‘-t-’,  etc.,  assuming  that  ‘c’,  ‘  I  ’  E  B,  Af  [e|(x,  y)  —  tt  if  x  E  y  and 
Ml+}(x,y)  =  x  +  y.  We  will  also  abuse  notation  when  convenient,  for  example  identifying  a  with 
the  symbol  a  EC  s.t.  M[a|  =  a. 

Given  a  vocabulary  W,  interpretation  I  -  (X,  Y,  D,  M)  of  W  and  formula  <p,  the  meaning  of  <p 
is 

PiM-Q+  xQ“^De, 

where  Q  =  Yx  and  Pi  is  defined  below.  If  t  is  a  complete  trace  of  some  system,  s  <  t  and  ip  E  E, 
then  may  be  thought  of  as  the  value  of  the  formula  <p  when  s  is  the  sequence  of  states 

traversed  so  far.  We  now  make  this  more  precise. 

Definition:  Given  vocabulary  W  =  ( B,U,C )  and  interpretation  I  =  (X,Y,D,M)  of  W,  and 
letting  Q  =  Yx ,  the  function  Pi  is  defined  as  follows  for  all  <p,p{  E  E,  ip  E  Eu,  b  E  B,  f  E  U, 
v  EV  U  C,  q  E  Q,  t  eQu  and  s  <t  (here  and  wherever  else  we  can  do  so  without  loss  of  clarity, 
we  drop  the  subscript  I): 

•  =  (^bll(«,t) . J’bnKM)); 

.  Plfi>js  =  Mifi(piipj(s,t)y, 

.  PliPb<p](s,t)  =  Mf6](/>f(^)](M)); 

•  /’HAMM)  =  ff  if  •PIV'KM)  =  tt,  flf  otherwise  (similarly  for  ‘A’  and  ‘=’); 

•  F[Vv^l(s,t)  =  tt  if  Pplip]a  =  tt  for  all  de  Dc,  where  /'  =  (X,  Y,  D,  M[d/v]),2  S  otherwise; 

•  P{Qip}(9q,t)  =  P\iP\ (s,t)  (i.e.  Qip  is  the  value  of  ip  in  the  previous  state); 

•  ^’[©V’K  q,t)  =  ff; 

•  ^[©V’Ks.t)  =  Pm(sq,t),  where  q  is  the  unique  element  of  Q  s.t.  sq  <  t  (i.e.  ®ip  is  the  value 
of  V*  in  the  next  state); 

•  F[.^I(s,t)  =  fs(s)(/>M(M))  if  FlV>](s,t)  e  X  (i.e.  .ip  is  the  present  value  of  the  time-varying 
quantity  ip)] 

•  P [ B ipj (s,  t)  =  tt  if  P [V>1  (r,  t )  =  tt  for  all  r  <  t,  ff  otherwise  (i.e.  Hip  is  true  iff  0  is  true  now 
and  was  true  at  all  times  in  the  past); 

•  ^{ffl^J(s,t)  =  tt  if  P[^|(r,t)  =  tt  for  all  r  s.t.  s  <  r  <  t}  &  otherwise  (i.e.  Bitp  is  true  iff  rp 
is  true  now  and  will  be  true  at  all  times  in  the  future) ; 

Hhe  set  of  functions  from  X  into  Y 

If  g  is  a  function  then  g\djv\  indicates  the  function  g'  which  is  the  same  as  g  except  that  £?*(t/)  =  d. 
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•  J[MlM-ttif.€  P  Iv5]  (sj  4)  £  Q+ ,  ff  otherwise  (i.e.  \<p\  holds  iff  <p  denotes  a  predicate 
satisfied  by  the  sequence  of  states  traversed  so  far); 

•  ^ILpJI(m)  =  tt  if 

U  c  Q“  A  3u  €  U(fs(s)  =  is(«)  A  *  =  «•«), 

where  U  =  PM](s,i),  fif  otherwise  (i.e.  [p\  is  true  iff  ip  denotes  a  predicate  describing  the 
future  behavior  of  the  system). 

Definition:  A  local  formula  is  one  which  contains  no  instance  of  the  operators  ‘[J’,  ‘ffl’  or  ‘®\ 
Note  that,  for  any  local  formula  <p  and  any  s,  t  and  t'  we  have  that 

P  [<p!  (*> st)  =  ^  [ipI  («,«**)  • 

With  this  in  mind,  we  make  the  following 

Definition:  For  all  <p,  p'  €  E  and  t  e  Q“  s.t.  <p‘  is  a  local  formula, 

4  hr  <P  =  Vs  <  t(Pxl<p}(s,t)  —  tt) 

(L^J}/  =  { U  e  Qu  I  u  f=j  <p} 

{IV1}/  =  {«  e  Q+  I  Pi[<p'](s,8t!)  =  tt } 

where  t'  is  some  arbitrary  element  of  Qw.  Here  again  we  will  drop  the  subscript  I  whenever  we  can 
do  so  without  loss  of  clarity.  We  write  ‘|=  <p ’  for  ‘Vt  €  Qu(t  \=  <p)\ 

If  t  |=  <p  we  say  that  t  satisfies  <p;  if  t  is  a  complete  trace  of  the  system,  this  means  that  ip  holds 
at  all  times.  {[<pj}  is  the  set  of  traces  which  satisfy  t.  If  <p  is  a  local  formula  then  {[>]}  is  the  set 
of  finite  traces  for  which  <p  is  true.  Note  that 

(L'pJ)  =  {Lffi^J}  =  {[b^J}  =  £□»?]} 

Example:  Let  us  suppose  that  the  system  in  question  is  a  digital  circuit,  with  X  being  the  set  of 
nodes  of  the  circuit.  In  the  following  we  implicitly  use  the  vocabulary 

({'€’}, 0, XU  {‘A’,  ‘tt’,‘ff’}) 

and  an  interpretation  (X,  B,  D,  M)  s.t. 

1.  XeD  -, 

2.  Af[x]  =  x  for  all  x  e  X-, 

3.  M[‘X’]  =  X; 

4.  M[‘e’J(a:,3/)  =  if  x  €  y  then  tt  else  ff. 

We  express  the  fact  that  the  nodes  of  the  circuit  always  have  boolean  values  by 

(LVx  €  X{.x  =  tt  V  .x  =  ff)J} 

If  the  circuit  contains  a  perfect  inverter3  with  input  i  and  output  o,  we  can  express  this  by 

{[(beg  V  *  o  V  .o  =  -i.t)  A  ^(.o  =  -..t)J} 

A  perfect  inverter  is  one  which  produces  no  ‘glitch’  at  the  output  if  the  input  changes  value  and  changes  value  again 
before  the  inverter  has  responded  to  the  first  change. 
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where  '**’  is  in  general  an  abbreviation  for  ‘(Qtt)  A.x^  Q.x’  (the  value  of  x  has  just  changed). 

Example:  The  following  hold  for  any  vocabulary  and  interpretation,  and  for  any  5  C  Q+  T  C  Qw 
and  tGQu: 

!•  {L^lJ}  n  M  =  {[V>1  A  V?2J}; 

2-  M  n  M  =  (Tv=>i  A  ^2]}; 

3.  S  =  M  iffNpo^l; 

4.  T  —  {[beg  =>•  [TJJ}; 

5.  [=  =>  A  Qip; 

6.  (=  V  B^)  =>  if); 

7.  |=  <*  ©  e  t/>; 

8.  |=  beg  V  (t/>  •«■  ©  ®  1^); 

9.  |=  o mi>  => 

10.  f=  (a 

ii-  |=  (O  9  ©OVO- 

Other  properties  may  be  found  in  [4,17]  (in  the  latter,  *□’  and  ‘O’  are  the  same  as  our  ‘ffl’  and 


2.3  Agents 

Suppose  that  we  have  a  program  of  form 

GJPill-ll*., 

where  each  Pi  describes  some  agent  t,  and  G  describes  some  global  property  of  the  system  such  as 
the  initial  state.  In  general  we  define  the  meaning  of  such  a  program  to  be 

tg  n  Ti  n  •  •  •  n  Tn, 

where  trace  set  Ta  is  the  meaning  of  G,  and  trace  set  T{  is  the  meaning  of  P{  (Ti  describes  the 
behavior  of  agent  i)  for  1  <  »  <  n.  In  this  section  we  look  at  how  to  describe  the  behavior  of  an 
agent. 

2.3.1  Action  predicates  and  transition  predicates 

In  order  to  describe  the  behavior  of  an  agent  in  a  manner  that  does  not  restrict  the  behavior 
of  any  other  agent,  we  must  be  able  to  determine  when  the  agent  has  just  acted,  changing  some 
portion  of  the  system  state.  To  this  end  we  introduce  the  notion  of  an  action  predicate: 

Definition:  An  action  predicate  is  any  S  C  *  s.t. 

|=  fs]  =►  3x  e  X(*x) 
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With  each  agent  we  associate  an  action  predicate  which  is  true  when  and  only  when  the  agent 
has  just  acted;  we  refer  to  this  as  the  action  predicate  of  the  agent. 

We  need  a  way  of  describing  what  the  results  of  a  particular  action  by  an  agent  will  be.  For  this 
purpose  we  can  use  some  S  C  Q+  with  this  interpretation:  if  the  action  takes  place  at  a  moment 
when  s  is  the  sequence  of  states  traversed  so  far,  then  there  will  be  a  transition  to  some  state  q  s.t. 
sqG  S.  A  trace  set  S  C  Q+  used  in  this  way  we  call  a  transition  predicate .  We  say  that  the  agent 
performs  S  if  it  performs  such  an  action. 

As  an  example,  suppose  we  have  an  agent  which  may  only  change  the  values  of  elements  of 
L  C  X,  and  that  no  other  agent  may  change  these  values.  Then  the  agent  }s  action  predicate  is 

{\3x  e  £(*#)]}. 

Furthermore,  to  describe  the  action  ‘invert  the  (boolean)  value  of  b’  by  this  agent,  we  use  the 
transition  predicate 

{[.6  =  -i0  i  AVx  G  L(*x  =>  x  —  6)]}. 

Note  that  this  allows  the  value  of  any  x  e  X  —  L  to  change;  this  is  to  allow  for  the  possibility 
(however  unlikely)  that  one  or  more  other  agents  act  at  precisely  the  same  time  as  this  one. 

2.3.2  A  simple  notation  for  describing  agents 

We  use  what  may  be  considered  a  generalization  of  the  programming  notation  used  in  [6],  to 
describe  the  behavior  of  some  simple  agents.  Informally,  an  expression  of  the  form 

SA  :  [ei  *  ci  |  •  •  ■  |  en  ►  cn  |  en+i  — *■  cn+ 1  |  •  •  •  |  em  cm  |  a  :  a  |  e  :  e] 

(where  a,  e,  each  e,-  and  each  Cj  are  local  formulas)  defines  an  agent  with  action  predicate  {J a]} 
which,  as  long  as  the  error  condition  e  remains  false,  is  for  any  t  enabled  to  perform  {[c,]}  whenever 
the  corresponding  e,  holds.  Furthermore,  if  e,-  (1  <  i  <  n)  holds  infinitely  often  then  the  agent 
infinitely  often  performs  {[c,-]},  and  the  agent  performs  {[c,-]}  (n  <  j  <  m )  whenever  ei  holds  and 
continues  to  hold  ‘long  enough’  (i.e.  it  is  forbidden  that  ej  begin  to  hold  and  continue  to  hold 
forever  without  the  agent  performing  {[c,-]}).  Using  the  terminology  of  [14],  {[c,]}  is  chosen  to  be 
performed  in  a  fair  (strongly  fair)  manner  or  just  (weakly  fair)  manner,  according  as  »  <  n  or  i  >  n. 
We  consider  SA  to  be  an  abbreviation  for 

m  n  m 

(aA©B-.e=>  V(c*  A©e*))  A  (□-*=>■  A  Pi  A  A  J») 

»=*  i=l  t=n+l 

where  for  all  i, 

Fi  =  □  <j>ef  =>  □  <J>(et-  A  ©c,-) 

Ji  =  □^(->e,-  V  (ei  A  ©c<)) 

O  D^K-VCi) 

As  an  example,  a  non-perfect  inverter  with  input  i  and  output  o  may  be  described  by 
{[[•*  =  .o  -1*  *o  |  a  :  *o  |  e  :  *i  A  Q(.i  =  .o)]J} 
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2.4  Semantics  of  two  simple  concurrent  languages 

2.4.1  Digital  circuits 

Our  first  concurrent  language  is  a  simple  notation  for  describing  asynchronous  digital  circuits 
composed  of  five  types  of  primitive  elements.  Let  JV  be  a  set  of  symbols  used  to  identify  nodes  in 
the  circuit.  The  syntax  of  the  notation  is  then 

PR  ::=  PR  ||  PR  |  ‘/’(IV;  N)  \  'A’(N,  N;  N )  |  ‘ 0’{N ,  IV;  IV)  |  ‘C\N,  AT;  N)  |  ‘ R’{N ,  IV;  N,  N) 

‘I{a>  bV  indicates  an  inverter  with  input  a  and  output  6;  ‘A(a,6;c)’  indicates  an  AND  gate  with 
inputs  a  and  b  and  output  c,  and  similarly  for  ‘0(a,b;c)’.  ‘C(a,b;c)’  indicates  a  C-element4  with 
inputs  a  and  b  and  output  c.  ‘ R[ri,  r2\  ai,  indicates  a  fair  arbiter5  with  request-acknowledge 
pairs  rx,ai  and  r2,a2.  We  add  the  restriction  that  no  ne  N  may  appear  twice  as  an  output  in  a 
program. 

We  will  write  ‘£(ei,e2)’  for  ‘-iei  A  ©(ei  A  -ie2)’.  £(ex,e2)  indicates  a  condition  which  may  pro¬ 
duce  a  ‘glitch’  or  ‘runt  pulse’  in  the  output  of  some  logic  element;  for  example,  for  an  AND  gate 
with  inputs  a  and  6  and  output  c,  if  £(.a  A  .b,  .c)  ever  holds  this  says  that  the  gate  has  been  excited 
to  change  its  output  to  high,  but  the  excitation  was  removed  before  it  could  do  so. 

We  define 

elemjei  |  e2  |  nj  = 

where 

<p  =  [  ei  A  -i.n  -i-  .n 
|  e2  A  .n  4  ->.n 

I  a  :  *«  I  e  :  ?(ei,  .n)  V  ^(e2,  -i.n) 

]• 

eiemjei  |  c2  |  nj  describes  a  logic  element  with  an  output  n  which  becomes  true  when  ei  holds,  false 
when  e2  holds,  and  otherwise  does  not  change. 

The  meaning  of  a  program  P  €  PR  is  then  given  by  the  semantic  function  M:  PR  — ►  (p(<Dwl  6 
where  Q  =  and 

•  A([Px  ||  P2J  =  A([Pil  n  A([P2]; 

•  X|J(o;6)]  =  elemj-i.a  |  .a  |  6]; 

•  X|[A.(a,  6;  c)]  =  elem|.o  A  .b  \  -i(.a  A  .6)  |  c|; 

•  X[0(a,6;c)J  =  elem|.a  V  .6  |  -i(.a  V  .b)  \  cj; 

•  XfC(a,6;c)]  =  elemf.o  A  .b  \  ->.a  A  ->.b  \  cj; 

4 The  output  of  a  C  element  goes  high  when  both  its  inputs  are  high,  low  when  both  its  inputs  are  low,  and  otherwise 
remains  the  same. 

6  An  arbiter  grants  mutually  exclusive  access  to  some  resource  via  a  set  of  request-acknowledge  pairs.  When  a  device 
wishes  to  use  the  resource,  it  raises  its  request,  and  once  it  has  obtained  the  resource  it  may  release  it  by  lowering 
the  request.  The  arbiter  grants  a  device  access  to  the  resource  by  raising  the  corresponding  acknowledge,  which 
remains  high  until  the  request  goes  low  and  the  resource  is  released. 

6  We  write  p(Y)  for  the  power  set  of  a  set  Y 
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•  M|[.R(ri,r2;ai,a2)l  =  {[y?]},  where 


<P 


[  .ri  A  -1.01  A  -i.a2  — ►  .ai  A  ->.a2 
|  .r2  A  -1.01  A  -i.a2  — +  . a 2  A  -i.oi 
|  ->.ri  A  .ai  -i.oj  A  -1  *  a2 

|  ->.r2  A  .02  _,.02  A  -1  *  ai 

|  a  :  *ai  V  *ct2  |  £  :  e 


e  =  £(<ri)  ai)  v  C(-»"2 5  -02)  V  f (-i.ri,  -1.01)  V  f (i.^,  -i.a2) 


2.4.2  Petri  nets 

Our  second  concurrent  language  is  that  of  Petri  nets  [21].  A  Petri  net  is  a  graph  whose  nodes 
are  of  two  types — places  and  transitions — such  that  every  arc  connects  two  nodes  of  different  types. 
For  a  place  p  and  transition  t,  if  there  is  an  arc  from  p  to  t  (reap,  t  to  p)  then  we  say  that  p  is 
an  input  place  (resp.  output  place)  of  t.  The  set  of  output  places  of  transition  t  is  denoted  f,  and 
its  set  of  input  places  is  denoted  *t.  We  imagine  that  each  place  may  hold  a  number  of  tokens. 
The  distribution  of  tokens  is  modified  when  a  transition  fires  f  removing  one  token  from  each  input 
place  and  adding  a  token  to  each  output  place.  A  transition  may  fire  only  when  it  is  enabled,  i.e. 
when  all  of  its  input  places  contain  tokens.  Note  that  a  transition  may,  by  firing,  disable  another 
transition  from  firing.  Two  transitions  t  and  t1  cannot  fire  at  the  same  time  if  there  is  a  place  p 
that  they  both  affect,  i.e.  if  p  e  f  U  *t  and  pGf'*U  *1';  we  write  t  txi  t'  if  this  is  so.  The  choice  of 
transition  firings  is  strongly  fair. 

Formally,  a  (marked)  Petri  net  is  a  tuple  ( P,T ,  R,  M),  where  P  is  the  set  of  places,  T  is  the  set 
of  transitions,  U  C  P  x  TUT  X  P  is  the  set  of  arcs,  M :  P  — >  l\l7  gives  the  number  of  tokens  initially 
in  each  place,  and  P  n  T  =  0.  We  will  furthermore  assume  that  P  and  T  are  finite. 

We  will  use  the  state  space  Q  =  NJPuT;  for  any  q  6  Q,  p  e  P  and  t  e  T,  q(p)  is  the  number 
of  tokens  in  place  p  and  q(t)  is  the  number  of  times  transition  t  has  fired.  We  will  write  ‘x  f  for 
‘.x  =  Q.x  +  1’,  lx  J.’  for  ‘.x  =  ©.x  -  1’. 

The  behavior  of  a  Petri  net  (P,  T,  R,  M )  is  then 

(L(beg  =>  <p)  A  ME  A  /\  6P  A  f\  ipt J}, 
peP  ter 

where 

1  ■  <P  =  A pep(-P  =  M(P))  a  Ate rO*  =  0); 

2.  ME  =  -*(*  T  Ai'T); 

3.  0p  =  *p  Vt  er(*^  Aps  Of  u  Jt)\ 

4-  4*  =  \  Ate/,  •*  >  0  — ►  i  T  A  Ape0t  P  t  A  /\p£Jt  p  j|  a  :  *t  \  e  :  S  ]; 

5.  It  =  *t,  Ot  =  f  -  *t  and  Jt  =  ’t-  f . 


7N  is  the  set  of  natural  numbers 
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Chapter  3 

Satisfiability 


3.1  Initial  conditions  and  evolution  conditions 

We  now  address  the  question  of  how  to  guarantee  that  a  concurrent  program  denotes  a  nonempty 
trace  set,  or,  equivalently,  a  satisfiable  predicate  on  traces.  As  we  have  seen  with  the  simple 
programs  of  Chapter  2,  the  meaning  T  of  a  program  will  in  general  be  of  the  form 

T  =  Ta  n  p|  Tu 
iei 

where  I  is  the  set  of  agents,  Tt-  is  the  meaning  of  the  subprogram  describing  agent  *  for  all  i  E  I, 
and  Tg  is  some  general  constraint  on  the  system,  not  corresponding  to  any  particular  agent.  We 
will  therefore  need  to  show  that  certain  kinds  of  set  intersections  are  nonempty. 

As  a  separation  of  concerns,  we  shall  find  it  convenient  to  express  Ta  as  the  intersection  of 
two  trace  sets,  one  restricting  only  the  initial  state  (called  an  initial  condition),  and  the  other  not 
restricting  the  initial  state  at  all  (called  an  evolution  condition).  Formally, 

Definition:  An  initial  condition  is  any  trace  set  of  form 

{[beg  =>•  [51  j} 

(which  we  wifi  write  as  Sin)  for  some  S  C  Q+.  Choosing  S  =  {[>]},  we  see  that  {[beg  =>  y>J}  is  an 
initial  condition  for  any  local  formula  <p .  An  evolution  condition  is  any  T  C  Qu  s.t. 

Vg  G  Q  3t  G  T(is(t)  =  g). 

Note  that  evolution  conditions  are  always  nonempty,  since  Q  ^  0,  and  that  any  superset  of  an 
evolution  condition  is  also  an  evolution  condition. 

Property  1  Any  T  C  Qw  can  be  expressed  as  the  intersection  of  an  initial  condition  and  an 
evolution  condition. 

Proof:  Let 


5  =  {q\3tET{q  =  is{t))} 

T'  -  T  U  (Qu  —  Sin) 
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T'  is  an  evolution  condition,  since  for  all  q, 


1  E  T(q  —  is(t)) 


q<£S 

=>  VuEQu(qu(£SiD) 
=>  Vu  G  Qw(qu  E  T') 
=►  3u  eQu(queT') 


Then  since  T  C  S’*"  we  have  that  T  =  Sm  n  T' .  I 


Let  Tg  =  S(2  Pi  Tq  ,  where  Sg  describes  the  initial  state  of  the  system;  then 


r  =  5g  n  (Tq.  n  P|  Ti). 

iei 


Given  any  evolution  condition  T'  and  any  S  CQ+  s.t.  S  n  Q  is  nonempty,  we  have  that  T'  n  Sin  is 
nonempty,  since  for  any  q  E  S  there  is  some  t  ET'  with  is(t)  =  q,  and  this  implies  that  t  E  Sin.  T 
is  then  nonempty  if 

1-  Tq  n  C\ieiTi  is  an  evolution  condition; 

2.  Q  n  Sg  is  nonempty,  i.e.  there  is  some  state  which  satisfies  Sq  . 

For  the  language  of  digital  circuits  presented  in  Chapter  2,  we  had  SG  =  {[tt]}  for  all  agents 
i,  thus  trivially  satisfying  condition  2.  above.  For  the  Petri  net  semantics  presented  in  the  same 
chapter,  we  had 

Sa  =  {\/\(.p  =  M(p))A  AG*  =  0)1}; 

p€P  teT 

in  this  case  it  is  also  easily  seen  that  condition  2.  is  satisfied.  Condition  2.  is  easily  checked  in  all 
the  cases  we  consider,  and  so  henceforth  we  focus  on  requirement  1. 


3.2  Cores 

To  prove  that  requirement  1  is  satisfied  we  will  need  to  use  the  notion  of  an  A-core  of  a  trace 
set,  where  A  is  an  action  predicate;  in  this  section  we  develop  this  notion. 

In  Chapter  2  we  described  the  behavior  of  an  agent  by  an  expression  of  the  form 

SA  :  [ej  — »  ci  |  •  •  •  |  en  — »  cn  |  en+i  cn+i  |  •  •  •  |  em  cm  \  a  :  a  \  e  :  e] 

Each  of  the  pairs  (e,-,  c,)  is  a  rule  allowing  the  agent  to  perform  {[c,]}  whenever  c,  holds.  Each  pair 
(e«,c.)  corresponds  to  a  formal  object  which  we  call  a  transition  rule: 

Definition:  A  transition  rule  is  a  pair  l  =  (tt ,r)  s.t.  ir,r  C  Q+.  Given  some  action  predicate 
A  c  Q+,  we  say  that  /  is  A-admissible  iff 

1.  Vs  E  it  3gr(sg  E  r),  and 

2.  |=  [Y]  A  ©|V]  =>  [A]  V null, 
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where 


null  =  -i3*  e  X(*x)  A  ©t* 

(i.e.  {[null]}  is  the  set  of  sq  s.t.  q  =  fs(s)).  Note  that  a  transition  rule  is  A-admissible  if  it  is 
A'- admissible  for  some  A'  C  A. 

In  the  expression  SA  above,  we  would  expect  that  whenever  some  e,-  holds,  any  state  transition 
allowed  by  c<  should  be  either  a  null  transition  or  should  result  in  a  holding,  since  {[a]}  is  the  action 
predicate  of  the  agent  being  described.  This  is  equivalent  to  saying  that  ({[e,]},{[c,l})  should  be 
{[  a]}-admissible . 

A  trace  set  defined  by  an  expression  of  form  SA  is  a  special  case  of  an  {[a]}-founded  trace  set: 

Definition:  If  A  C  Q+  is  an  action  predicate,  we  say  that  a  trace  set  T'  is  A-founded  iff  there 
exists  a  countable  set  L  of  A-admissible  transition  rules  s.t.  T'  D  G(L,  A),  where 

G (L,  A)  =  safe(Zr,  A)  fl  P|  fair(l) 

leL 

safe(L,A)  =  {[[A]  =>  3(»r,r)  €  £([r]  A  ©[*■])]} 

fair(x , t )  =  {Ln^[jr]  =>■  □  ^([jt]  A©[r])J} 

We  say  that  L  is  an  A- core  of  T* . 

Examining  the  definitions,  it  is  easily  seen  that  {|SAj}  is  {[a]}-founded  if  for  all  t, 

1.  ({[e»]},  {[c,]})  is  {[a]}-admissible,  and 

2.  fair{l)  C  just(l),  where  l  =  ({[e,]},  {[c,]})  and  for  any  transition  rule  (ir,r), 

just(w,r)  =  {[□<£(-.[*-]  V  [r])J>. 

Condition  1.  above  is  sufficient,  due  to  the  following. 

Property  2  For  any  transition  rule  (tt ,t), 

fair(w,r)  C  jusfc(7r,r). 

Proof:  For  any  trace  t, 

t  [=  Offi-'M 

=>  t  (=  □^-t[?r] 

t  \=  0<$>([x]  A®[r])  =>  t|=n^®[r] 

=>  t  \= 

=>  *  N  V  [r]) 

Since  t  E  fair(7r,  r)  iff 

(t  |=-.n^r»l)  V(t  1=  □^(MA©[rl)) 
we  then  have  that  t  €  fair(x,r)  =>•  t  €  just(jr,r).  ■ 

Note  that  in  the  definition  of  an  A-core  L  we  allow  L  to  be  an  infinite  set  of  transition  rules. 
We  will  find  this  to  be  very  convenient  later  on  when  we  deal  with  recursion. 
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3.3  The  main  theorem 


Returning  to  the  discussion  of  section  3.1,  we  want  to  show  that 

T^nftTi 

iei 

is  an  evolution  condition.  If  Tq  is  weaker  than  some  constraint  on  what  actions  are  possible,  i.e. 

tg  2  {[beg  v  null  V  \A]  J} 

for  some  action  predicate  A,  then  the  following  theorem  shows  that  it  is  sufficient  that  2$  be 
A-founded. 

Theorem  3  E(A)  n  T 1  is  an  evolution  condition  for  any  action  predicate  A  and  A-founded  trace 
set  T* ,  where 

E(A)  =  {[beg  V  null  V  [A]  J}. 


Proof:  We  show  that  E(A)  fiT*  is  an  evolution  condition  by  constructing,  for  any  q  E  Q,  some 
t  G  E(A)  H  T9  s.t.  q  —  is(£),  as  follows: 

First,  we  make  the  following  definitions: 

1.  L  is  some  A-core  of  T1. 

2.  /:  N  — ►  L  is  a  function  s.t.  {  n  G  N  |  f(n)  =  l }  is  infinite  for  any  /  G  L,  It  is  a  straightforward 
exercise  to  show  that  such  a  function  exists.  We  shall  use  /  as  a  means  of  ‘scheduling’  the 
transition  rules  in  L. 

3.  S  =  {[(beg  Vrnill  V  [yi])  A  [\A]  =>  3(jr,r)  G  L(\r]  A  ©M))]}. 

It  is  easily  seen  that  for  any  t  GQW, 

t  G  S(A)  D  safe(L,  A)  Vs  <  t(s  G  S). 


4.  S'  =  {[□  [S]D- 

5.  For  any  /  =  (x,r)  G  L  and  s  G  tt,  x(s,  /)  is  some  sq1  G  r  (such  a  q'  exists  since  /  is  A- 
admissible) . 

6.  For  all  t  e  N, 

(a)  s0  =  g; 

(b)  «i+i  =  x(s>) /(*’))  for  some  s'  >  ««  s.t.  s'  eirns',  where  /(*)  =  (tt,  t),  if  such  an  s'  exists; 

(c)  s,+1  =  s,Y  otherwise,  where  q'  =  fs(s,). 

Let  t  =  hm{  s,-  |  »  G  N  }.  Obviously,  is(t)  =  q.  To  show  that  t  G  T'  it  suffices  to  show  that 
t  G  E(A)  n  safe(L,  A)  and  t  G  fair{l)  for  all  /  G  L.  We  have  that 

1.  q(=S, 

2.  x(«>0  €  S  whenever  s  G  x  for  any  l  =  (tt ,t)  G  L,  and 
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3.  sq'  G  S  if  q'  =  fs(s); 

by  induction  we  then  have  that  ViVs  <  s,(s  G  S),  hence  s  £  S  for  any  s  <  t1,  and  so  t  6 
E(A)  n  safe(L,A). 

It  remains  only  to  show  that  t  G  fair(l)  for  all  /  G  L.  Given  any  (w,  t)  g  L,  suppose  that 

F  :  Vs  <t 3s' (s  <  s'  <t  As'  Gx) 

(i.e.  t  (=  D<1>|V|).  Then,  since  r  G  S  for  all  r  <  t, 

Vs  <  1 3s' (s  <s'<tAs'Gxf)  S'), 

and  so 

Vs  <  t3s'  >  s(s'  E  7T  nsf). 

Hence  for  all  i  there  is  some  s'  >  S{  s.t.  s'  e  tt  n  S'.  Then,  noting  that 

1.  for  all  *  there  is  some  j  >  i  s.t.  f(j)  —  (7r,r),  and  hence  there  exist  s'  and  q  s.t.  st*  <  s', 
s'q  <t,  s'  €  7r  and  s'q  G  r; 

2.  for  all  s  <  t  there  is  some  i  s.t.  s  <  s*-; 
we  have  that 

G  :  Vs  <  1 3s1 ,  <jf(s  <  A  £  ir  A  <  t  A  s'q  G  r) 

(i.e.  t  |=  n<3>(M  a©M))-  So  F  =>  G,  which  is  the  same  as 

t  \=  =>  n^(M  A®frl), 

i.e.  t  G  fair(x,  r).  ■ 

The  above  theorem  forms  the  core  of  our  approach  to  ensuring  the  satisfiability  of  the  predicate 
denoted  by  a  program. 


3.4  The  intersection  theorem 

For  each  agent  i  G  I,  let  us  choose  an  action  set  A,-  s.t.  Tt-  is  Abounded  and  A,-  n  Aj  =  0  for  all 
3  7^  *"•  1^  Aj  £  A  for  all  i ,  then  the  following  theorem  shows  that  PljTj  is  A-founded. 

This  theorem  may  not  seem  to  be  applicable  to  the  two  programming  languages  discussed  in 
Chapter  2,  since  the  action  sets  of  distinct  agents  are  definitely  not  disjoint.  However,  we  shall  see 
shortly  how  to  get  around  this. 

We  now  give  the  theorem. 

Theorem  4  Let  I  be  a  countable  set  and  for  all  i  G  I  let  T,  C  Q“  be  Abounded,  where  Ai  is  an 
action  predicate.  If  Ai  n  Aj  —  0  for  all  i  j,  then  fi,*  Tt-  is  ((J,-  Ai)-founded. 

Proof:  For  all  i  G  I  let  Lj  be  an  A,-core  of  T;;  furthermore,  let  A  =  |J,  Ai ,  L  =  {]■  Li  and 
1  using  the  fact  that,  for  any  totally  ordered  V  C  Q°°,  s  <  lim  V  3o  6  V(s  <  v). 
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Since  each  Li  is  a  countable  set  of  A,- admissible  transition  rules,  L  is  a  countable  set  of  in¬ 
admissible  transition  rules.  In  addition,  using  the  fact  that  Aj  n  Ay  =  0  for  all  i  ^  j,  we  have  for 
any  t  G  safe(L,  A),  t  G  J  and  s  <  t  that 

a&Ai  s  €  {[fAf]  A  ([A]  =*  3j‘3(jr,r)  G  Ly(|V|  A©[V|))]} 
s  €  {[3.?3(x,  t)  G  Lj{ \Ai]  A  \t]  a  © [ x] )]} 

=►  8  e  Pi^Tr,  r)  G  Lj(\Ai]  A  \Aj]  A  |Y|  A  ©M)]} 

=>  *  e  {[3y3(7r,  r)  G  i,(i  =  j  A  [r]  A  ©[x])]} 

=»  se{[3(x,r)eI,(rrlA©fxl)l> 

and  hence  t  G  safe(L,,  A,).  So  safe(L,  A)  C  safe(L,-,  A,)  for  all »  €  /.  Then 

T'  2  DW£-^)n  fl  ^)) 

*  l€£« 

=  P|  safe(Li,  Ai)  n  P|  fair(l) 

i  ISL 

2  safe(L,  A)  D  P|  fair(l) 

IBL 

i.e.  L  is  an  A-core  of  T ',  and  so  T'  is  A-founded.  I 

3.5  Non-disjoint  action  predicates 

We  now  show  how  to  prove  satisfiability  when  the  agents  of  the  system  being  described  have 
non-disjoint  action  predicates.  We  begin  with  one  more  definition. 

Definition:  A  trace  set  T'  is  (A,  A')-founded  (A  and  A'  being  action  predicates)  iff  there  exists  an 
A-core  L  of  T'  s.t.  each  element  of  L  is  A'-admissible.  Such  an  L  is  called  an  (A,  A')-core  of  T'. 

Generally,  A  will  be  the  agent’s  action  predicate,  and  A'  will  be  a  subset  of  A  indicating  a 
condition  when  only  this  agent,  and  no  other,  has  just  acted. 

The  following  property  is  useful  in  showing  that  a  trace  set  is  (A,  A')-founded. 

Property  5  Trace  set  T1  is  (A,  A')-founded  if  there  exists  an  A-core  L  ofT1  s.t. 

V(x,r)  G  L3t'  C  <2+((|=  ©[xl  A  |V]  =>  |V|)  A  (x,r')  is  A! -admissible). 


Proof:  Let  L  =  { (x,-,  rf)  |  *  G  N  },  and  for  all »  define 

Ti  =  some  transition  predicate  s.t.  |=  ©|x]  A  |V]  =>  [r]  and  (x,,r/)  is  A'-admissible. 
Letting  L'  =  {  (x,-,  r-)  \  i  G  N  },  we  have  that 

G{L',A)CG{L,A)CT' 

since  r[  C  r,-  for  all  i.  So  V  is  an  A-core  of  T',  and  by  the  definition  of  r,'  it  is  also  an  (A  A'l-core 
of  T'.  I  V  ' 
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Theorem  6  Let  I  be  a  countable  set,  Tq  a  trace  set,  and  for  alii  G  I  let  ,  A[  be  action  predicates 
and  Ti  a  trace  set  s.t. 


1.  A'-  n  Ay  =  0  for  all  j  ^  i,  j  G  I; 

2.  (=  (beg  V  null  V  3  j  G  If  A'])  A  [A,]  =>■  [A[]; 

S.  {[beg  V  null  V  3j  e  /[A'-] J}  C  T'a; 

4 ■  Ti  is  (AiyAlf)- founded. 

Then  Tq  n  Die/  Ti  is  an  evolution  condition. 

Proof:  For  all  i,  let  L<  be  an  (A,-,  A()-core  of  T<.  Then,  using  2.  above, 

S(U  Ai)  n  sa£e(Li,A {)  =  {|_(beg  V nuU  V  3j[A'D  A  ([A|]  =>•  3(;r,  r)  e  L,([r]  A  eM))J> 
j 

C  {[(beg  V  null  V  3?  [Ay])  A  ([A,-]  =>•  3(?r,r)  G  A  0[jr]))J} 

=  S  (U  Aj  )  n  safe(Li ,  Ai) . 
i 

Hence,  using  this  and  3.  above, 

S(LJA;)n  G{Li,A'i)  C  S(UA;.)nG(Lf,A) 

3  3 

C  T^nTi. 

Then 

S(U 4) n fl G(Li> A'i)  cr^nfl Ti 

i  i  i 

and  since  Theorem  3  tells  us  that  the  left-hand  side  of  the  above  inclusion  is  an  evolution  condition, 
so  is  the  right-hand  side.  I 

In  summary  then,  we  show  that 

SG  nTGnC\  Ti 

iGl 

is  nonempty  by  finding  action  predicates  A*  and  A(  for  all  i  s.t. 

1.  there  is  some  state  satisfying  Sq\ 

2.  {[(beg  =>•  \SG})  A  (beg  V  null  V  3j[A'.])J}  C  TG; 

3.  Aj-  n  Ay  =  0  for  all  j  ±  i,  i,j  G  /; 

4.  (=  (beg  V  null  V  3j  G  /[A'.])  A  [A,-]  [A'I  for  ah  *1 

5.  Ti  is  (Ai,  Aj) -founded,  for  all  i. 
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3.6  Two  proofs  of  satisfiability 


Let 


(xi  : —  €%, . . . ,  xn  : —  en) 


abbreviate 


©tt  A  Vx  £  X{  J\  (x  ^  ©a:*  A  -»  *  x)  V  \f  (x  =  ©xt*  /\  ,x  —  ©et)), 


*=l 


t=l 


i.e.  there  is  a  previous  state,  and  it  is  the  same  as  the  present  state  except  that  the  values  of 
the  various  Xi  have  been  changed  in  the  manner  indicated.  Furthermore,  let  cx  :=  e’  abbreviate 


We  first  look  at  the  digital  circuit  language  of  the  previous  chapter.  This  case  is  simple  enough 
that  it  doesn’t  require  all  the  steps  listed  in  the  previous  section. 

For  all  n  £  N,  let 

an  =  n  :=  — i.n, 

i.e.  {[<1*1}  is  an  action  predicate  indicating  that  the  value  of  node  n  has  just  changed,  while  the 
values  of  all  other  nodes  of  the  circuit  remained  unchanged. 

Using  Property  5  and  that  fact  that,  for  any  n  £  N, 

©“i.n  A  n  :=  -i.n  =>•  .n  A  an 
|=  ©.n  A  n  :=  -i.n  =>>  -i.n  A  an , 

it  is  easily  seen  from  their  definitions  that 

1.  X[A(*,y;n)],  X[0(*,y;»)l,  M[C(*,y;n)l  and  AC[J(*;»)J  are  all  ({[*n]},  {[^-founded, 

2.  M[i?(a;,y;ni,n2)]  is  ({[*ni  V  *n2]},{[oni  V  a„2]})-founded, 

3.  {[ a„]}  D  {[ am]}  =  0  for  all  n  ^  m,  n,m  E  N,  and 

4.  |=  (beg  V  null  V  3m(am))  A  *n  =>  a„  for  all  n  €  N. 

Given  a  program  Pi  ||  •  ••  ||  P*,  let  IVj  be  the  set  of  outputs  of  the  component  P,  for  all  i.  Note 
that  Ni  has  either  one  or  two  elements,  and  that  n  Nj  =  0  for  all  *  ^  j.  Defining 

1.  Ai  =  {\\/n&N.  *n]}  and 

2.  A!t  =  {[VneJV, 

we  see  from  1-4  above  that 

1.  At [_P,-|  is  (Ai,  A()-founded  for  all  i, 

2.  A'i  n  A'j  =  0  for  all  *  7^  j,  and 

3.  |=  (beg  V  null  V  3i[A'.])  A  [A,-]  =>  [A(-{  for  all  i. 
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Then  by  Theorem  6  we  have  that  is  an  evolution  condition,  and  hence  nonempty.  I 

We  now  look  at  the  Petri  net  semantics  given  in  the  previous  chapter.  Let 

Nt  =  P-(OtuJt) 
at  =  ^  n>i:pA  ^  1*^ 

p€Nt  t'& 

a  =  beg  V  null  V  \J  at 
ter 

We  have  that  {[a*]}  n  =  0  for  all  t  ^  t 9 ,  Furthermore, 

|=  a  A  *t  =$>  at. 

Letting  Ot  -  {p1} . . .  ,pm}  and  Jt  =  {p[y . . .  ,p[J,  and  noting  that 

N  :=  *  +  :=  Pi  +  1,  •  •  •  ,Pj  :=  -Pm  +  l,p'i  :=  -p'x  -  l,...,p'A  :=  ,p[,  -  1)  =>• 

A  (t  t  A  /\  p  t  A  /\  p  |) 

we  see  that  {[V'tJ}  is  {[at ]})-founded.  Finally,  it  can  be  shown  that 

|=  a  =>  ME  A  0p. 

pGF 

So,  by  Theorem  6  we  have  that 

{[me  a  /\  op  a  A  V>t J} 

p€P  *GT 

is  an  evolution  condition.  Since  there  is  obviously  a  state  satisfying 

{f  A  (  p = M(p))  a  A  (■* = °)D 

p&p  t&T 

we  then  have  that  the  set  of  traces  defining  a  Petri  net’s  behavior  is  nonempty.  ■ 
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Chapter  4 

Processes 


So  fax  we  have  only  given  the  semantics  of  two  very  simple  programming  languages.  Now  we 
look  at  more  elaborate  languages,  in  which  the  agents,  which  we  will  call  processes ,  are  defined 
using  sequential  constructs  and  recursion.  As  in  Chapter  2,  we  will  first  present  a  general  notation, 
and  then  define  the  semantics  of  two  languages  in  terms  of  this  notation.  The  two  languages  we 
will  look  at  are  a  shared-variables  language  using  P  and  V  operations  [9]  for  synchronization,  and 
a  variant  of  CSP  [12]  using  A.  J.  Martin’s  probe  function  [18]. 


4.1  A  language  for  describing  sequential  processes 

4.1.1  Syntax  and  informal  semantics 

The  agents  defined  with  the  notation  we  are  about  to  present  may  be  described  as  ‘sequential 
processes’  since  they  act  in  an  essentially  sequential  manner,  doing  one  thing  at  a  time.  We  define 
a  sequential  process  using  sequential  composition,  IF  constructs,  and  recursion,  according  to  the 
following  grammar: 

SP  ::=  ‘a-.’EXJ.’BD 
BD  ::=  CS‘-,  end’ 

CS  ::=  CM  \  CM‘-,’CS 
CM  ::=  PC  |  ‘[’ AL *]’  |  ‘[’Z>L‘|’CS*]’ 

PC  ::=  ‘skip’  |  PN  |  ‘abort’  |  ‘[’EX^’EX^]’  \  ‘[’EXi^’EX^]’ 

AL  EXi^'CS  |  EX^’CS^AL 

DL  ::=  PN‘=’CS  \  PN^CS^DL 
PN  ::=  procedure  names 
EX i  state  formulas 

EX 2  state  relations 

where 

1.  A  state  formula  is  a  local  formula  which  contains  no  instance  of  ‘©’,  ‘B’  nor  *[]’. 

2.  A  state  relation  is  a  local  formula  containing  no  instance  of  ‘B’  nor  “[]’  s.t.,  for  any  subex¬ 
pression  Q<p,  <p  is  a  state  formula. 
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Note  that  the  value  of  a  state  formula  depends  only  on  the  present  state,  and  that  of  a  state 
relation  depends  only  on  the  present  and  immediately  preceding  state. 

The  expression  & :  a  :  R}  defines  a  process  with  action  set  {|”ujj-,  whose  behavior  is  given  by 
R.  Informally,  the  meanings  of  the  various  commands  are  as  follows:  ‘skip’  means  ‘do  nothing’, 
‘abort’  means  that  something  has  gone  wrong,  and  the  process  may  do  anything,  ‘[e-^  c]’  and 

‘[e  — ►  c]’  mean  ‘wait  for  e  to  hold  and  then  perform  {|Y|}  while  e  still  holds’,  with  termination  being 
guaranteed  for  the  former  if  at  some  time  e  holds  and  continues  to  hold  until  the  action  takes  place, 
and  for  the  latter  if  e  holds  infinitely  often,  ‘end’  means  ‘halt  and  perform  no  further  action.’ 

[ei  — ►  f?i  |  •  •  •  |  en  — ►  f?n] 

means  ‘wait  for  e,-  to  hold  for  some  i,  then  choose  some  i  s.t.  e,'  holds  and  execute  f?,’. 

[Pi  =  Ri  I  ‘  *  •  I  Pn  =  Rn  |  R] 

means  that  R  is  to  be  executed  with  each  p,  defined  as  R+\  the  definitions  may  be  mutually  recursive, 
the  various  pt-  occurring  in  any  of  the  Rj. 

Note  that  we  do  not  need  to  explicitly  include  iteration  in  this  language,  since  the  iteration 

while  e do  .Rod 


may  be  considered  an  abbreviation  for 

[p  =  [e  — »•  R  |  -ie  — »  skip]  |  p]. 


4.1.2  Formal  semantics 


Given  any  c  €  EX 2,  we  will  write  c*  for  the  formula  obtained  from  c  by  replacing  any  subex¬ 
pression  of  form  Qtp  by  <p.  cf  expresses  a  condition  that  holds  when  {[c]}  has  just  been  performed, 
but  caused  no  change  of  state;  for  example, 


((.*  =  e.y)  A  (. y  =  e.x))t 


is  equivalent  to 

■x  =  .y 

and  expresses  the  condition  that  the  values  of  x  and  y  were  just  swapped,  but  no  state  change 
occurred  because  the  values  were  already  equal.  We  also  write  c *  for  ‘CVC1’. 

Given  any  p  e  P N  and  R  e  CS ,  a  free  instance  of  p  in  R  is  any  instance  of  p  in  R  which  is  not 
contained  within  a  subformula  [px  =  Rx  \  •  -  -pn  =  Rn  \  #']  of  R  s.t.  p  =  Pi  for  some  i. 

We  now  give  the  formal  semantics  of  this  notation. 


Definition:  The  semantics  of  SP  is  given  by  the  semantic  function 


M:SP^p(Q“) 


defined  by 


Mia  :a:Rj  =  Safi?] 

for  all  a  £  EX 2  and  R  G  BD.  Informally,  the  function 


Sa:BD^p{Q") 

gives,  for  any  R  G  BD ,  the  behavior  of  a  process  with  action  predicate  {[a]},  starting  at  a  moment 
when  R  is  the  remainder  of  the  program  to  be  executed.  It  is  defined  by 
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•  $4endJ  =  {h^J}; 

•  S4skip;fl]  =  S*[R]; 

•  50|abort;  12]  =  {[ttj}; 

•  $4[e^c];12]  =  {[<>((©(B^aAe)  Ac)*  A  LSa[i?U)  V(D-aA  a^e)]}; 

•  $al[e  ±  c];  JZ]  =  {LO((©(B->a  A  e)  A  c)*  A  [S4I2]J)  V  (□-.<!  A  Office)]}; 

•  Sal[Pl  i?i  |  •  •  •  |  Pn  Rn  \  R  ]j  12]  =  Soli?*;  12],  where  R11  is  obtained  from  R1  by  simulta¬ 
neously  replacing  each  free  instance  of  any  p,  in  R1  by  ‘[pi  —  /?j  \  •  •  •  \  pn  =  Rn  |  J^]’; 

•  5attp;  =  if  pGPiV; 

•  Sal[ei  -*  Ri  I  •  •  •  I  en  — ►  iin];  Rj  = 

{LV"=i  0(B  -a  A  c,-  A  L SalRi;  PJJ)  V  □  (-a  A  V?=i  ef)J}. 

One  might  distrust  this  recursive  definition.  We  previously  used  recursion  to  define  P,  the 
function  that  gives  the  meaning  of  a  formula.  There  it  is  obvious  that,  for  any  particular  formula 
<p,  the  definition  of  P  [^>J  can  be  ‘unrolled’  by  repeated  substitution  to  an  expression  which  contained 
no  instance  of  P,  and  hence  P  is  well-defined.  This  is  not  so  in  the  recursive  definition  of  Sa  above; 
for  example,  one  can  ‘unroll’  the  definition  of 

M[pi  =  (e c];pi  |  pi];  -R] 

forever  without  getting  an  expression  that  doesn’t  contain  Sa.  One  might  then  wonder  if  Sa  is 
well-defined.  In  the  next  chapter  we  will  address  this  issue  and  justify  this  use  of  recursion. 

According  to  our  definition  of  X,  there  is  no  way  to  know  that  a  process  has  reached  the  end 
of  its  program  and  terminated.  If  we  consider  it  important  to  know  this,  we  can  have  some  x  e  X 
indicate  whether  or  not  the  process  has  terminated,  letting  q(x)  =  tt  if  it  has,  and  q(x)  =  S 
otherwise,  for  any  state  q.  We  then  make  the  last  command  of  the  program  (just  before  the  ‘end’) 
be  a  command  setting  x  to  tt. 

This  semantics  might  seem  ill-suited  to  modular  reasoning  about  the  behavior  of  a  sequential 
process,  since  we  do  not  give  the  meaning  of  a  single  command  or  sequence  of  commands,  only  the 
meaning  of  the  ‘tail  end’  of  a  complete  program.  However,  this  is  no  problem;  we  can  reason  about 
the  effect  of  a  sequence  of  commands  R'  by  proving  that  some  property  tp(R)  holds  of  R';  R,  for 
all  R  £  BD.  Similarly,  we  can  reason  about  the  effect  of  a  command 

[pi  =  Ri  |  ■  ■  *  |  Pn  —  Rn  |  P*] 

by  first  proving  that,  for  all  R  e  BD  and  1  <  i  <  n,  some  property  <pi(R)  holds  of 

bl  =  Rl  I  •  •  *  I  Pn  =  Rn  |  Ri}\ R- 


4.2  Shared  Variables 

4.2.1  Syntax  and  informal  semantics 

We  now  look  at  a  language  which  describes  a  set  of  concurrent  processes  which  interact  by 
manipulatmg  shared  variables,  with  P  and  V  operations  on  semaphores  [9]  for  synchronization. 
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Let  m  be  a  semaphore.  When  a  process  executes  the  command  P(m),  it  waits  for  .m  >  0  to  hold 
and  then  decrements  the  value  of  m  as  an  atomic  action  while  .m  >  0  still  holds.  If  .m  >  0  holds 
infinitely  often,  then  the  process  is  guaranteed  to  get  its  chance  to  complete  the  P(m)  command  by 
decrementing  the  value  of  m,  otherwise  it  may  be  that  each  time  the  value  of  m  is  positive  it  is  set 
to  0  again  before  the  process  can  act.  When  a  process  executes  the  command  V (m),  it  increments 
the  value  of  m.  These  are  thus  nonstrict,  but  fair,  P  and  V  operations. 

Let  SEM ,  GV  and  LV  be  pairwise  disjoint  sets  whose  elements  are  semaphore  names,  global 
variable  names  and  local  variable  names  respectively.  VN  is  the  union  of  GV  and  LV ,  and  G  is 
the  union  of  GV  and  SEM.  Letting  V  be  the  set  of  possible  values  of  program  variables,  Cp  is  a 
set  of  constant  symbols  denoting  elements  of  V,  and  UP  (resp.  BP)  is  a  set  of  unary  (resp.  binary) 
function  symbols  denoting  functions  with  range  V.  The  syntax  of  this  language  is  then 

PRG  ::=  IN  PL 

PL  ::=  CS  \  CS‘\\’PL 

IN  ::=  TnitQ’  |  ‘init[’iX‘]’ 

IL  ::=  G‘=’CP  \  G‘=’CP‘,’IL 

CS  ::=  CM  \  CMl-,'CS 

CM  PC  |  ‘[’ AL ']’  |  ‘[’DL‘\’CS‘Y 

PC  ::=  ‘skip’  |  PN  \  ‘P{’SEM‘)’  \  ‘V(’SEM‘)>  \  VN'+-'EX 
AL  ::=  EX'-+'CS  \  EX^CS^AL 

DL  ::=  PN‘=’CS  \  PN‘=’CS‘\’DL 

EX  ::=  EXU  |  EXU  BP  EX  |  EXU‘A’EX  \  EXU‘=’EX 
EX „  CP  \  VN  |  UP  EXU  \  W EXU  \  Up^ELj  \  ‘{'EX')’ 

EL  ..=  EX\EX(,’EL 

A  program  is  then  an  expression  that  initializes  the  values  of  several  variables,  followed  by  a 
number  of  expressions  each  describing  a  sequential  process,  separated  by  ||’s. 

To  the  above  syntax  we  add  the  additional  restriction  that  for  an  IF  command 

[ei  -*■  Ri  |  •  •  ■  |  en  -*■  #„] 

only  one  global  variable  may  appear  in  the  the  guard  set  {ei, . . .  ,en}  so  that  the  guards  may  be 
evaluated  together  as  one  atomic  action.  For  the  same  reason,  we  also  require  that  at  most  one 
global  variable  appear  in  an  assignment  statement  x  <-  e,  with  its  occurrences  limited  to  only  the 
right-hand  side  or  only  the  left-hand  side.  In  addition,  in  the  initializing  statement 

iuit [a?i  =  ki, . . . ,  xn  =  kn] 

the  various  X{  must  be  distinct,  and  ki  must  denote  a  natural  number  if  x,  £  S EM. 

4.2.2  Formal  semantics 

The  state  space  of  the  system  described  by  a  program  is  Mx ,  where 

X  =  G  U  { x{x)  |  *  €  G}  U  {(*,»)  |  x  6  LV  A  i  e  N  }. 

It  is  assumed  that  x(x),  x(y)>  x>  V,  and  (v,»)  are  all  distinct  for  any  x,y  e  G,  v  G  LV  and  ieN, 
and  that  V  3  NUB,  Each  process  is  identified  by  a  unique  natural  number,  so  that  (v,i)  is  the 
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local  variable  v  of  process  i,  and  for  any  x  G  G,  the  value  of  x{x)  is  the  number  of  the  process  that 
last  changed  the  value  of  x.  The  value  of  x{x)  Is  meaningless  if  the  value  of  x  has  never  changed, 
is  the  action  predicate  of  process  *,  where 


a*  =  3®  G  G(*x  A  . x{x )  —  0  V  3x  G  LV(*(x,  i)). 
The  meaning  of  a  program 


is  then 


where 


mit[xi  =  eX) •  •  •  ,x„  =  e„] Pi  ||  •  •  •  ||  Pk 


{[(beg  =t>  /\  (.x<  =  «,•))  A  <pG\}  n  P|  T( 

1=1  t-1 


(pG  =  Vm  G  S EM(.m  gN)aVo;G  G{-x{x)  <=  {1, . . . ,  A:}) 

T{  =  :P/;  end] 

and  for  all  t,  Pt  is  obtained  from  Pt-  as  follows: 

First,  every  instance  of  an  x  G  GV  not  on  the  left-hand  side  of  an  assignment  is  replaced  by  \x\ 
and  every  instance  of  a  y  G  LV  not  on  the  left-hand  side  of  an  assignment  is  replaced  by  ‘.(y,!*)’. 
Second,  every  local  assignment 

x  <—  e  (where  x  G  LV) 

is  replaced  by 

[tt  -i  .(x,  i)  =  ©e  A  p(x)} 

where  for  all  x1  G  VN, 


p(xt)  =  Vy  G  G(-x(y)  =  %  A  *y  =>  y  =  J)  A  Vy  G  LVr(*(y,i)  =>  y  =  x') 
(this  says  that  process  %  changes  only  the  value  of  x ').  Third,  every  global  assignment 

x  <—  e  (where  x  G  GV) 


is  replaced  by 

[tt  *x(x)  =  iA.i  =  0eA  p(a;)]. 
Finally,  every  command  P(m)  is  replaced  by 


£ 

[.nj  >0  — ►  -x(m)  =  t  A  .m  =  ©.m  -  1  A  p(m)| 
and  every  command  V  (m)  is  replaced  by 

[**  -x(»n)  =  »  A  .m  =  Q.m  +  1  A  />(m)|. 

Here  we  see  the  utility  of  the  notation  we  introduced  in  the  previous  section:  each  Pi  may  be 
regarded  as  simply  an  abbreviation  for  an  expression  in  SP.  We  will  take  the  same  approach  in 
defining  the  semantics  of  the  language  presented  in  the  next  section. 
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4.2.3  Satisfiability 

Let  us  rewrite 

T  :  {[(beg  =>  ]\ (.a:<  =  «,•))  A  £>GJ}  n  f]  T{ 

*= 1  i—1 

as 

n  jfe 

{[(beg  =><pG  A  /\  (.Xi  =  e,))  A  (Q<pa  =>  ^g)J}  n  f)  T,-. 

*=1  1=1 

We  can  do  this  because,  in  general, 

|=  □  <p  &  D((beg  =>►  (p)  A  (Q<p  =>  (p)). 

For  all  i,  let 

=  3  x  E  LV ,  v  E  V(*a:  Ai:=v)v 

3xEG3v  E  V(*z  A  (x  :=  v,  x(x)  :=  t)  A  (a;  €  SEM  A  ©.*  N)). 

It  is  straightforward  to  check  that 

1.  |=  A  a'  )  for  all  i  ^  j, 

2.  |=  (beg  V  null  V  3i(a'))  A  at-  =>  aj-  for  all  i,  and 
3*  |=  (beg  V  null  V  3i(a'))  =>•  (e<PG  =>  <Pg), 

and  so  applying  Theorem  6  with 
1.  A4  =  {[a*]},  AJ  ee  {[aj]},  and 

2*  tg  =  (L©^c?  =»  £>c?J} 

we  see  that  if  At  [a  :  at*  :  FJf;  endj  is  (A*,  Aj) -founded  for  all  t,  then 

k 

(L(©^C?  =>  <Pg)  A  f\  <Pi\} 
i=  1 

is  an  evolution  condition.  Given  the  restrictions  we  placed  on  the  initializing  statement,  it  is  easily 
seen  that  there  is  a  state  satisfying 

n 

<pG  A  /\(.Xi  =  «,•), 

<=1 

and  hence  the  trace  set  T  is  nonempty. 

It  remains  only  to  show  that  Mfa  :  a{  :  P/;  end]  is  (A,-,  A')-founded  for  all ».  The  proof  of  this 
requires  a  result,  Theorem  12,  which  will  be  proven  in  the  next  chapter.  Theorem  12  states  that, 
for  any  R  €  BD  and  state  relations  a  and  a',  if 

1.  {[a]}  and  {[a']}  are  action  predicates  and  a'  =>  a,  and 

2.  for  every  command  of  form  [y  c]  or  [g  -*  c]  in  R  we  can  find  some  state  relation  c*  s.t. 
\=  c*  =>  c  and  ({falMIc'l})  is  {fa'lJ'-adinissible 

then  .M [a  :  a*  :  P]  is  ({[a]},{[a']})-admissible.  We  apply  this  result  to  Pj: 
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1.  |=  a'i  =>  a,-,  hence  A{-  C  A,-. 

2.  For  the  assignment  ‘[tt  c]’,  where 

c  =  >x(x)  =  *  A  .x  =  ©c  A  p(x) 

(x  €  GV),  we  choose  ‘(x  :=  e,x(x)  :=  i)’  for  c',  since 

(=  (x  :=  e,x(a:)  :=  t)  =>■  c  A  (oj-  V  null). 

3.  For  the  P  action  ‘[.m  >  0  c]*,  where 

c  =  ,x(m)  =  t'A.m  =  Q.m  -  1  A  p(m), 
we  choose  ‘<m  :=  .m  -  l,x(m)  :=  »)’  for  c',  since 

f=  (m  \=  .m  -  l,x(m)  :=  *)  =>•  c 

and 

1=  {m  ■=  m  -  l,x(m)  :=  *)  A  0(.m  >  0)  =>>  a\  V  null. 

4.  Similarly  for  local  assignments  and  V  actions. 

Hence  Alfa  :  at  :  P/; end]  is  (A,-,  Aj)-founded.  I 

4.3  Communicating  Sequential  Processes 

4.3.1  Syntax  and  informal  semantics 

As  our  second  example  we  look  at  a  modification  of  Hoare’s  “Communicating  Sequential  Pro¬ 
cesses”,  or  CSP  [12],  described  by  A.  J.  Martin  in  [18].  It  is  the  same  as  regular  CSP  except 
that 

•  communication  actions  never  appear  in  guards; 

•  there  is  an  extra  primitive,  a  function  called  the  probe. 

In  this  language  processes  interact,  not  by  modifying  the  values  of  a  pool  of  shared  variables, 
but  only  by  sending  values  to  each  other.  Special  communications  actions  are  introduced:  ‘ei!e2’ 
means  ‘send  the  value  e2  to  process  e\\  and  ‘e?x’  means  ‘receive  a  value  from  process  e  and  store 
it  in  the  (internal)  variable  x .  There  is  no  automatic  buffering,  and  hence  the  communication 
actions  are  tightly  coupled.  If  process  i  wants  to  send  a  value  to  process  j,  it  must  wait  at  its  send 
action  until  process  J  comes  to  a  matching  receive  action,  and  then  the  communication  takes  place. 
Similarly,  if  process  i  wants  to  receive  a  value  from  process  j,  it  must  wait  at  the  receive  action 
until  process  j  comes  to  a  matching  send  action. 

We  say  that  a  process  is  suspended  when  it  is  waiting  at  a  communication  action.  The  probe 
is  used  to  test  whether  or  not  a  process  may  become  suspended  if  it  initiates  a  communication. 
For  a  process  i,  if  the  probe  ps  j  is  true  this  means  that  process  j  is  suspended  at  a  receive  from 
i,  i.e.  it  is  waiting  to  receive  a  value  from  i,  and  hence  process  i  will  not  become  suspended  if  it 
tries  to  send  a  message  to  j;  conversely,  if  process  j  is  suspended  at  a  receive  from  i  then  ps  j  will 
eventually  become  true  unless  j  is  released  from  suspension  first,  by  i  sending  it  a  value.  Similarly, 
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if  the  probe  pr  j  is  true  then  process  j  is  suspended  at  a  send  to  *  and  hence  process  i  will  not 
become  suspended  if  it  tries  to  receive  a  message  from  j,  etc.  Once  ps  j  becomes  true  it  remains 
true  until  the  process  sends  a  message  to  j  (thus  releasing  j  from  suspension),  and  similarly  for 
pry. 

In  an  implementation  of  a  CSP  program,  the  probe  values  may  be  defined  in  any  way  consistent 
with  the  above  description.  In  particular,  we  can  define  the  value  of  any  of  a  process*  probes  to 
remain  constant  during  the  evaluation  of  an  expression  containing  that  probe,  after  the  appropriate 
external  values  have  been  sampled.  If  we  do  this,  then  the  evaluation  of  an  expression  containing 
several  different  probes  can  be  considered  an  atomic  action,  since  each  probe  value,  once  determined, 
remains  constant  throughout  the  remainder  of  the  expression’s  evaluation. 

The  syntax  of  the  language  is  similar  to  that  of  the  previous  section,  and  hence  we  give  here 
only  the  grammar  rules  that  differ  from  what  was  presented  there: 


PRG  PRC  |  PRC^PRG 

PRC  ::=  NATSCS 

PC  ::=  ‘skip’  |  PN  \  EX'VEX  \  EX'VLV  \  LV'^’EX 
EXU  CP\LV\  UP  EXU  \  W EXU  \  UP'{'EV)'  |  <(’ EX <)’  |  PR 

PR  ::=  ‘ps ’EXU  |  ‘pr ’EXU 

NAT  constant  symbols  denoting  natural  numbers 


We  also  require  for  a  program  nx  :  a  ||  •  ■  •  ||  nk  :  ck  that  «i . nk  all  be  distinct,  and  that  no 

probe  appear  in  a  command  of  form  ei!e2  or  e?x. 

4.3.2  Formal  semantics 

As  in  the  previous  section,  V  will  be  the  set  of  possible  values  of  program  variables,  and  we 
assume  that  V  D  N  U  B.  The  state  space  of  the  system  described  by  a  program  is  (V*)^,  where  V* 
is  the  set  of  finite  (and  possibly  empty)  sequences  of  elements  of  V,  and 

x  =  {  (*»  0  >  s(*  *  J1)  >  r(» ,  i) ,  ps  (*  ,  j) ,  pr  (i ,  j)  \  x  e  LV  A  i,j  e  N  }. 

For  all  x  e  LV ,  e  N  and  f,g  e  {s,r,ps,pr}  we  have  that  f(i,j)  ±  (*,*'),  and  if  f(i,j)  = 

then  /  =  g,  i  =  i'  and  j  —  j1.  We  equate  the  sequence  of  length  one  formed  from  #  6  V 
with  v  itself,  and  so  V  C  V*.  In  addition,  we  define 

Xi  =  {  («,*), 8(»’,i),r(j>0  |  x  e.  LV  A  j  <E  N  }. 

s(*)j)  indicates  the  sequence  of  values  that  process  i  has  sent  or  tried  to  send  to  j\  if  i  is 
suspended  at  a  send  to  j ,  then  the  last  element  of  this  sequence  is  the  value  that  it  is  trying  to 
send.  r(t,  j)  indicates  the  number  of  times  that  process  j  has  initiated  the  receipt  of  a  value  from 
i;  if  jf  is  suspended  waiting  to  receive  a  value  from  j,  then  this  will  be  one  more  than  the  number 
of  values  actually  received  so  far  from  j.  pr (i,j)  indicates  process  j* s  probe  to  see  if  i  is  sending  it 
a  value,  and  ps(i,  j)  is  process  i’s  probe  to  see  if  j  is  ready  to  receive  a  value. 

We  introduce  the  abbreviations 

qs(t,y)  =  £(.s(t, j))  >  .r(i, j) 
qr(i,i)  =  .r(t,y)  >  t(.s(i,j)) 
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where  £(x)  is  the  length  of  sequence  x.  qs(»,  j)  holds  when  process  i  is  suspended  trying  to  send 
to  j,  and  qr(t,y)  holds  when  process  j  is  suspended  trying  to  receive  from  «.  We  will  also  write 
‘ext(x,  a)’  for  sequence  x  extended  by  one  element,  a,  and  ‘el(n,  x)’  for  the  n-th  element  of  sequence 
x. 

The  following  hold  at  all  time: 

AO:  V*,y  G  N(.r(i,  j)  G  N  A  .s(t,  j)  G  V*  A  .pr(i,j)  G  B  A  .ps(t,y)  €  B) 

Al:  Vi,  j  G  N(*s(t',y)  =>  3v  G  V(.s (i,j)  =  ext(Q.s(i,j),v))) 

A2:  Vt,y  G  N(*r(*,j)  =>■  .r (i,j)  -  Q.r(t,y)  +  1) 

A3:  Vt,j  G  N(— 1  <  £(.s(i,y))  -  <  1) 

Al  says  that  the  value  of  s(t,  j)  can  only  be  changed  by  extending  it  with  a  new  element.  A2  says 
that  the  value  of  r(i,j)  can  only  be  changed  by  incrementing  it.  Given  the  definitions  of  qs  and 
qr,  A3  implies  that  process  i  cannot  initiate  another  send  to  j  while  it  is  suspended  at  a  send  to 
3 ,  and  process  j  cannot  initiate  another  receive  from  i  while  it  is  suspended  at  a  receive  from  t. 

A4:  Vi,j  €  N(.ps(t,y)  =>  qr(i,y)) 

A5:  Vi,j  e  N(.pr(i',y)  =»  qs(i,y)) 

A6:  V*,y  G  N(i.pr(«,y)  A  *pr(*',y)  =>  -'qs(»,y)) 

A7:  Vt,y  G  N(-i.ps(i,y)  A  *ps(i,j)  =>  ->qr(i,y)) 

A8:  Vi,y  e  N(qr(i,y)  =>  ^(.ps(i,y)  V  -.qr(t,y))) 

A9:  Vi,y  G  N(qs(i,y)  =>  ^(.pr(t,y)  V  -.qs(i,y))) 

These  formalize  the  description  of  the  probe  we  gave  earlier. 

Initially,  the  following  holds: 

A-in:  Wi,jG  N(.r(t,y)  =  0  A  .s(i,y)  =  e  A  -i.pr(i,y)  A  ->.ps(i,y)), 

i.e.  no  receives  nor  sends  have  been  initiated,  and  the  probes  are  all  false. 

The  meaning  of  a  program  ni  :  ||  •  •  •  ||  n*  :  Pk  is  then 


k 

{[(A0-A9)  A  (beg  =>  A-in) J}  n  f]  T,- 

«=i 

where  for  all  t, 


Ti  =  M[a  :  a,-  :  P,?;end] 

Off  —  (•^x) 

and  Pj  is  obtained  from  Pt-  as  follows: 

First,  every  subexpression  of  form  pse  is  replaced  by  ‘.ps(n,-,e)’,  and  every  subexpression  of 
form  pre  is  replaced  by  <.pr(e,n1)’.  Second,  every  instance  of  a  program  variable  y  G  LV  which 
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is  not  the  left-hand  side  of  an  assigment  y  «-  e  or  the  right-hand  side  of  a  receive  command  e!y  is 
replaced  by  ‘.(y,  n,)\  Third,  every  instance  of  a  send  command  ei!e2  is  replaced  by 

[  ei  ^  N  — ►  abort 
|  ei  e  N  — »  [-iqs(n,-,ei)  initsend,]; 

[-iqs(n,,ei)  -*  skip] 

] 

where 

initsendi  =  p(s(niy  ei))  A  .s(nt,  ex)  =  ext(©.s(n*,  ex),  e2) 
p(x)  =  V*'  G  Xni(*x'  =>*  x'  =  x)  for  all  x  G  Xn{. 

The  expression  initsendi  just  says  that  process  n,-  extends  the  value  of  s(nt-,  ex)  with  e2,  and  causes 
no  other  state  change.  Fourth,  every  instance  of  a  receive  command  e?y  is  replaced  by 

[  e  N  — *  abort 
|  e  G  N  — »  [~nqs(e,  nt)  i  initrecvi ]; 

hqr(e,  nt)  ->  y  <-  ei(.r(e,  nt),  .s(e,  rat))] 

] 

where 

initrecvi  =  />(r(e,nt))  A  .r(e,nt)  =  ©.r(e,n;)  +  1. 

The  expression  initrecvi  just  says  that  process  fi*  increments  the  value  of  r(e,fit*),  and  causes  no 
other  state  change.  Finally,  every  command  of  form  y  <—  e  is  replaced  by 

[tt  ^  .(y,rct)  =  ©eAp(y,nt*)]. 

The  purpose  of  the  guard  *“iqs(n*,  ei)’  in  the  command 

[iqs(nt*,  ex)  initsendi] 

used  above  is  to  ensure  that  A3  is  maintained  (similarly  for  a  receive  action).  It  seems  certain  that 
this  guard  could  be  replaced  by  ‘tt’  without  changing  the  semantics,  since  process  nt-  must  wait 
for  qs(n*,ei)  to  go  false  before  leaving  the  send  command,  and  this  can  only  become  true  again  by 
process  tii  initiating  a  send  to  ex.  However,  at  the  time  of  this  writing  the  author  has  not  proven 
this  assertion,  hence  we  keep  the  more  complex  guard. 

4.3.3  Satisfiability 
For  all  *,  j  G  N,  let 

a\  =  3x  G  LV  (*(x,  t)) 

V3 j  €  N(©“»qr(j?,t)  A  (r(i,i)  :=  .r(j,t)  +  l,pr(j,i)  :=  ft)) 

V3j  G  N,v  G  V(©-iqs(«,  j)  A  (s (i,j)  :=  ext(.s(*,j),  v),ps(«,y)  :=  ft)) 
a'ij  =  _,nu11  A  ((eqr(«',j)  A  <ps(i,  j)  :=  tt))  V  (©qs(»,  j)  A  <pr (i,  j)  :=  tt))) 

<PH  =  [qs (*,j)  -*»  Pr(i,j)  :=  tt  |  qr(ij)  -4  ps(i,j)  :=  tt  |  a  :  a'y  |  «  :  ff] 
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Noting  that 


<pij  A8  A  A9, 


we  see  that 


{L(beg  =>■  A-in  A  AX)  A  (©AX  =>•  AX)  A  Vt'.j  €  N(v?<y)J}  n  f|  T,  C  T, 

<=i 

where  AX  =  (A0-A7). 

Defining  atJ-  =  aj.,  it  is  straightforward  to  check  that 

1.  (=  -i(oJ  A  a'  )  for  all  «  /  j, 

2.  |=  -i(a(.  A  a'w)  for  all  *,  A:,/, 

3-  1=  “'Kj  A  «*()  for  all  (*,j)  #  (A:,/), 

4.  |=  (beg  V  null  V  3 Ij(o'  )  V  3A:,l(a'Jti))  A  af  =>■  a[  for  all  i, 

5.  (=  (beg  V  null  V  3j(a')  V  3A:,/(o'tt))  =>  (©AX  =>•  AX),  and 
6-  {L^.'iJ}  is  ({fa«jl}>  {[ai;l})  "founded  for  all  $  and  j, 

and  so  applying  Theorem  6  with 

1.  A,.  =  {[a,l>,  A?  B  {MD,  *y  =  4,  =  {T-JyD, 

2.  Tg  =  {[©AX  =►  AXJ}, 

3.  Tij  =  {L**yJ>, 

we  see  that  if  Tf  =  Ai[a  :  :  Pj-  end]  is  (A,-,  A[  [-founded  for  all  »,  then 


k 

{L(beg  =>  A-in  A  AX)  A  (©AX  ^  AX)  A  V«, j  e  N(^)J}  n  f|  Tf 

*=i 

is  an  evolution  condition.  Since  it  is  easily  seen  that  there  is  a  state  satisfying  A-in  and  A0-A7, 
we  then  have  that  trace  set  T  is  nonempty. 

It  remains  only  to  show  that  Ma  :  a,-  :  P! ;  end  is  (A,,  Aj)-founded.  This  can  be  done  using 
Theorem  12.  It  is  straightforward  to  verify,  as  we  did  with  the  shared-variables  language,  that  the 
conditions  for  applying  this  theorem  hold,  hence  we  omit  the  details.  I 
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Chapter  5 

Recursion 


We  now  address  some  questions  which  we  deferred  in  the  previous  chapter.  We  will  discuss 
how  the  recursive  definition  of  Sa  in  the  previous  chapter  and  such  definitions  in  general  are  to  be 
interpreted,  and  how  to  prove  satisfiability  for  programming  languages  using  recursion. 


5.1  Recursion  and  Domains 

In  general,  recursive  definitions  are  of  the  form  x  =  E,  where  E  is  an  expression  containing  x; 
this  is  equivalent  to  x  =  F(x),  where  F  is  the  function  A x.E.  A  solution  to  the  equation  x  =  F(x) 
is  called  a  fixed-point  of  F.  In  general,  F  may  have  zero,  one,  or  many  fixed-points,  and  hence 
the  equation  x  =  F(x)  may  not  define  anything  or  may  not  define  x  uniquely.  It  is  sometimes 
the  case,  as  in  the  definition  of  P  in  Chapter  2,  that  a  recursively-defined  function  /  is  recursively 
defined  on  the  structure  of  its  argument.  In  such  a  case  we  can,  for  any  argument  x,  ‘unroll’  the 
definition  of  /(x)  by  repeated  substitution  using  the  definition  of  /,  and  so  obtain  an  expression  for 
f(x)  which  does  not  contain  any  instance  of  /;  hence  the  function  is  well-defined.  However,  only 
a  restricted  class  of  recursive  definitions  can  be  ‘unrolled’  this  way,  and  so  we  need  more  general 
method  of  guaranteeing  that  our  recursive  definitions  do  indeed  uniquely  define  some  object.  This 
is  commonly  done  by  the  use  of  domains.1 

Definition:  A  domain  is  a  set  P  with  a  partial  order  C  s.t.  every  countable,  totally  ordered  C  C  P 
has  a  least  upper  bound  in  P,  denoted  (JC.  In  particular,  the  empty  set  has  a  least  upper  bound 
in  P,  i.e.  there  is  an  element  _L  e  D  s.t.  ±  C  *  for  all  x  €  P.  A  strong  domain  is  a  domain  P  s.t. 
every  totally  ordered  C  C  p  has  a  least  upper  bound  in  P . 

A  totally  ordered  subset  of  a  domain  P  is  called  a  chain  in  P .  We  will  often  index  the  elements 
of  a  chain  C  by  some  totally  ordered  set  J,  letting  C  =  {  x,  |  t  e  J  },  where  i  <  j  =$■  x,-  C  xj  for  all 
*>  J  6  and  writing  [_]{ xi  for  |J  C.  The  partial  ordering  C  of  a  domain  we  call  its  approximation 
ordering ,  since  x  C  y  is  intended  to  mean  that,  in  some  sense,  x  is  an  approximation  of  y. 

When  necessary  to  distinguish  between  the  bottom  elements  of  different  domains,  we  will  write 
-Lp  for  the  bottom  element  of  domain  P. 

One  example  of  a  strong  domain  is  p[Y),  the  powerset  of  some  set  Y.  If  we  take  the  inclusion 
relation  C  as  its  approximation  ordering,  then  J.  =  0  and  |_lt-  xt-  =  (Jf  alternatively,  if  we  take  D 
as  its  approximation  ordering,  then  L=Y  and  U<  xf  =  f|<  z*.  From  now  on,  when  we  refer  to  the 
domain  p{Y)  for  some  set  Y ,  the  latter  approximation  ordering  (D)  will  be  assumed. 

’The  properties  mentioned  in  this  section  are  all  well  known,  and  hence  will  not  be  proven.  See,  for  example,  [16]. 
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For  any  set  Y  and  domain  (resp.  strong  domain)  P,  VY  is  also  a  domain  (resp.  strong  domain), 
with  approximation  ordering  C  given  by 

A  E  A  =  Vy  G  y(/x(y)  C  /2(y)) 

for  any  Juh-Y  -*■  P.  For  any  y  G  Y  and  chain  {/<}  in  DY ,  we  have  that  (Lk /<)(«)  =  Ut/,(y). 
Similarly,  given  domains  (resp.  strong  domains)  Pi,...,Pn,  the  cartesian  product  P  =  Pi  X  •  •  •  x  Pn 
is  also  a  domain  (resp.  strong  domain),  with  approximation  ordering  C  given  by 

(*i>  •  •  • » *n)  E  (yi,  •  •  •  ,yn)  =  X!  E  yi  a  •  •  •  a  xn  E  yn 
for  any  x,yG  P.  For  any  chain  {x,}  in  D  we  have  that  |_|,x«  =  (U,-  *i(1,  •  •  •  ,|_|<  *«>)• 

Definition:  Let  Pi  and  P2  be  two  domains;  then  a  function  /:  — s-  P2  is  monotonic  iff  x  E  y  =>- 

f[x)  E  /(y)  for  all  x,y  G  Pi,  and  it  is  continuous  iff  it  is  monotonic  and  /(U«x«)  —  Lk/(*<)  for 
any  countable  chain  {x^}  in  D\. 

For  any  two  domains  (resp.  strong  domains)  D\  and  P2,  the  set  of  monotonic  functions  from 
D\  to  D2 ,  denoted  ( Pi  ►  ^2),  is  also  a  domain  (resp.  strong  domain),  as  is  the  set  of  continuous 
functions,  denoted  (Pi  A  P2),  with  the  same  approximation  ordering  as  the  domain  D®1  ■ 

In  order  to  show  that  a  function  /:  Pi  x  •  •  •  x  P„  — +  P  is  monotonic,  it  suffices  to  show  that  / 
is  monotonic  in  each  argument,  i.e.  given  any  1  <  j  <  n  and  y  €  Pi  x  •  •  •  x  P„,  we  have  that 

/(yi,  •  •  •  >  yj-l,  x,  yy+i,  ...,yn)Q  f(y  1, . . . ,  yy-i.x',  yj+1, . . . ,  yn) 

for  any  x,  x  £  Py  s.t.  x  E  x  .  To  show  that  f  is  continuous  it  also  suffices  to  show  that  f  is  continuous 
in  each  argument,  i.e.  /  ia  monotonic  in  each  argument  and,  given  any  j,  y  and  countable  chain 
{x<}  in  Dj , 


/(yi»  •  •  •  >  yj-i,  LI  yy+i)  •  •  •  >y»)  =  U  /(«>  •  •  •  >  yy-i>  *<>  yj+i,  •  • . ,  yn )• 

i  i 

Definition:  Given  a  domain  P,  a  fixed-point  of  a  function  F:  V  — ►  D  is  any  xG  D  s.t.  x  =  A 

least  fixed-point  of  F  is  a  fixed-point  x  of  F  s.t.  x  C  y  for  ail  fixed-points  y  of  F;  if  such  an  x  exists 
it  is  unique,  and  is  denoted  Gx(F). 

It  has  been  shown  that  for  any  strong  domain  D  and  monotonic  function  F:D  ™  D,  F  has 
a  least  fixed-point.  In  fact,  Gx(F)  =  7 for  some  ordinal2  t,  where  70  =  ±,  7A._hl  =  ^(7^)  for 
any  ordinal  k,  and  7*  =  Uj<klj  for  any  limit  ordinal3  k  (note  that  7^  C  7*  for  all  j  <  k).4  In 
addition,  it  has  been  shown  that  for  any  domain  D  and  continuous  function  F:D  D,  F  has  a 
least  fixed-point,  viz.  7W. 

Given  domains  Di  (1  ^  i  ^  fi  -f-  1)  and  any  set  Y y  the  following  are  some  continuous  (resp, 
monotonic)  functions: 

The  ordinals  are  a  totally  ordered  extension  of  the  natural  numbers  s.t.  every  ordinal  i  has  a  successor,  t+  1,  which 
IS  the  least  ordinal  greater  than  and  any  set  of  ordinals  has  a  least  upper  bound  which  is  also  an  ordinal.  See  any 
text  on  set  theory  for  further  details. 

3 A  limit  ordinal  is  a  nonzero  ordinal  which  is  not  the  successor  of  any  other  ordinal.  An  example  is  w,  the  least 
upper  bound  of  the  natural  numbers. 

A  proof  of  these  may  be  found  in  [20]  for  the  strong  domain  p(Y)  with  approximation  ordering  C,  for  any  set  Y' 
the  proof  is  easily  generalized  to  any  strong  domain. 
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•  any  constant  function  / :  Z>i  — ►  P2 ; 

•  the  identity  function  on  D\\ 

•  the  function  A/.Ay./(/i(y)): — ►  Di  for  any  function  h:Y  —*Y. 

•  the  function  A/./(y):  — 3 ►  Pi  for  any  y  GY ; 

•  any  function  /;  Pi  x  •  •  •  x  Pn  — ►  Pn+i  defined  by  /(xi, . . . ,  xn)  =  e,  where  e  contains  only 
constants,  continuous  (resp.  monotonic)  functions  and  the  variables  xi, . . . ,  xn. 

The  recursive  definition  x  =  E,  where  E  is  an  expression  constructed  from  x,  constants  and 
continuous  (resp.  monotonic)  functions,  is  then  taken  to  be  an  abbreviation  for  x  =  Sx(F ),  where 
F  is  defined  by  F(x)  =  E ,  and  similarly  for  a  recursive  function  definition  f(x)  =  E\  where  E1 
may  contain  instances  of  both  /  and  x.  For  example,  the  recursive  definition  of  Sa  given  in  the 
previous  chapter  may  be  considered  an  abbreviation  for  Sa  =  Gx(F),  where 

F:BD^p{Q") 

is  a  monotonic  function  defined  as  follows: 

•  =  (hoj}; 

.  *-(/)[skip;J2l  =  /[Bj; 

•  F{f)  [abort]  =  {[ttj}; 


An  inspection  of  the  definition  of  Sa  will  reveal  that  F  is  indeed  monotonic,  and  so  we  have 
justified  our  recursive  definition  of  $a. 


5.2  Core  domains 

5.2.1  Motivation 

In  the  previous  chapter  we  were  interested  in  proving  that  some  trace  set  was  (A,  A')-founded 
for  appropriate  action  predicates  A  and  A'.  The  usual  way  to  show  that  some  object  x  defined 
by  x  =  F(x)  has  a  certain  property  is  to  show  that  the  set  of  things  having  the  property  forms  a 
domain  (or  strong  domain),  and  that  F  is  a  continuous  (resp.  monotonic)  function  on  this  domain. 
For  our  application,  the  natural  approximation  ordering  on  Qu  to  use  is  the  superset  ordering 

Ti  E  T2  =  Ti  2  r2, 


i.e.  T\  approximates  T2  iff  Ti  is  a  weaker  constraint  on  the  system’s  behavior  than  T2,  which  makes 
Qu  a  strong  domain.  Unfortunately,  the  set  of  (A,  A')-founded  trace  sets  does  not  form  a  subdomain 
of  p(Qw)  under  this  ordering,  as  the  following  example  shows:  Let 

1.  A  =  A1  =  {[.n  >  ©.n]},  and 

2.  Ti  =  G({li})  for  all  t,  where  =  ({[tt]},{[.n  >  Q.n  +  i]}). 
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It  is  then  easily  seen  that  Tt-  is  (A,  A')-founded  and  Tt  C  Tj  (T<  D  Tj)  for  all  i  <  j,  but  [}iTi  = 
H,  =  0,  and  the  empty  set  is  definitely  not  (A,  A')-founded. 

Thus,  for  example,  given  action  predicates  A  and  A'  and  a  monotonic  function  /  on  trace 
sets  which  maps  (A,  A')-founded  trace  sets  to  ( A,  A')-founded  trace  sets,  we  cannot  guarantee  a 
priori  that  Gx{f)  is  also  (A,  Af) -founded.  Similar  problems  arise  when  we  take  the  fixed-points  of 
monotonic  functions  on  strong  domains  derived  from  jo  (<?“),  in  particular  when  we  define  $a  = 
Gx(F),  where  F  is  the  function  on  the  domain  p(Qu)BD  defined  at  the  end  of  the  previous  section. 

As  we  shall  see,  these  problems  can  be  overcome  through  the  use  of  core  domains  which  in  some 
sense  parallel  the  strong  domains  we  are  interested  in.  We  begin  by  defining  a  family  of  domains 
from  which  all  our  core  domains  will  be  derived. 

5.2.2  Definitions 

Definition:  Given  action  predicates  A  and  A'  s.t.  A'  C  A,  C(A,  A')  is  the  set  of  tuples  ( S ,  L)  s.t. 
S  C  Q+ ,  L  is  a  countable  set  of  A'-admissible  transition  rules  and 

sa fe(L,A)  C  (L[5]J}. 

For  any  (5,  L),(S',L')  £  C(A,  A')  we  define 

(5,  L)  C  (S',  V)  =  S  D  S'  A  L  C  V. 


Property  7  If  (S,L)  £  C'(A,A')  then  H(L,A)  C  S,  where  for  any  set  L  of  transition  rules  and 
action  predicate  A , 


H(L,A)  sffBHAl  V30r,r)  £  L'(\r]  A©M))1}. 


Proof:  For  any  s  £  H[L,A )  we  have  that  sq,sqq,sqqq, . . .  £  H(L,A),  where  q  =  &(s),  since 
N  nufi  ^  ^ •  Let  t  =  sqqq •••;  then  Vs  <  t(s  £  H{L, A)),  hence  t  £  safe(L,A),  hence 
*  €  {LT^IJ}.  and  hence  s£  S.  This  is  true  for  any  s  £  H(L,A),  and  so  H(L,A)  C  S.t 

Theorem  8  For  any  pair  of  action  predicates  A  and  A'  s.t.  A1  C  A,  C(A,  A')  is  a  domain,  with 
least  element  J_  =  (<?+,0);  furthermore,  the  l.u.b.  of  any  chain  {Zi},  where  =  (S<,Lf)  for  alii, 
is 

u*=mu*)- 

t  i  i 

Proof:  It  is  easily  verified  that  JL  is  an  element  of  C(A,  A'),  that  _L  C  Z'  for  all  Z'  £  C(A,  A'), 
and  that  C  is  a  partial  order.  Let  S  =  H.-Sf,  L  =  Ui  U  and  Z  =  (S,  71),  and  assume  that 
Z  £  C(A,  A').  Then  Z  is  trivially  the  l.u.b.  of  {Zi}.  It  remains  only  to  show  that  Z  =  ( S,L )  is 
indeed  an  element  of  C(A,  A'): 

I.  Since  L  is  the  countable  union  of  countable  sets  of  A'-admissible  transition  rules,  we  have 
that  L  is  a  countable  set  of  A'-admissible  transition  rules. 
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2.  For  any  t  E  safe(L,A)  we  have  that  s  E  H(L,A)  for  all  s  <  t.  In  fact,  for  any  (finite)  s  <  t 
we  have  that  a  C  for  some  finite  L1  C  L  since  {  r  |  r  <  s  )•  is  finite.  Let  nj  for  all 

/  E  V  be  some  j  s.t.  /  E  Lj,  and  let  n  =  max{  m  \  l  E  V  };  then,  for  all  *  >  n,  we  see  that 
L'  C  Ln  C  Li,  hence  s  €  H(Li,A),  and  by  Property  7  we  conclude  that  sE  Si.  Since  5,-  D  5n 
for  all  »'  <  n,  we  then  have  a  E  Hi  Si  —  S.  This  holds  for  any  t  E  safe(L,  A)  and  s  <  t,  so 
safe(L,A)  C  {[fS1]]}. 

Thus  (S,L)eC(A,A').  I 

Definition:  A  core  domain  is  any  domain  D  which  is  an  {-level  core  domain  for  some  i  E  N,  where 

•  D  is  a  0-level  core-domain  iff  D  =  C(A,A')  for  some  pair  of  action  predicates  A  and  A'  s.t. 
A'CA; 

•  D  is  an  (i  +  l)-level  core-domain  iff  one  of  the  following  holds: 

—  D  is  an  *-level  core  domain; 

-  D  ~  Di  for  some  set  Y  and  i-level  core  domain  V\\ 

—  P  =  P2)  for  some  pair  of  i-level  core  domains  D\  and 

—  P  ==  Pi  x  •  •  •  x  Dn  for  some  collection  of  i-level  core  domains  Pi, . . . ,  Pn. 

For  each  core  domain  there  is  a  corresponding  strong  domain  derived  from  p(Qw): 

Definition:  Given  a  core  domain  P,  the  parallel  domain  of  P,  denoted  pd(P),  is 

•  p(Qw)  if  D  —  C(A,  A')  for  some  A  and  A'; 

•  pd(Px)r  if  P  =  Di  for  some  set  Y  and  core  domain  Pi; 

•  (pd(P i)  pd(P2))  if  P  =  (Pi  P2)  for  some  pair  of  core  domains  Pi  and  P2; 

•  pd(Pi)  X  •  •  •  X  pd(Pn)  if  P  =  Pi  X  •  *  •  X  Pn  for  some  collection  of  core  domains  Pi, . .  . ,  Pn. 

We  now  extend  the  notion  of  a  core  as  given  in  Chapter  3. 

Definition:  Given  a  core  domain  P  and  T  G  pd(P),  a  D-core  ofT  is  any  c  G  P  s.t. 

•  if  P  =  C(A,  A')  and  c  =  (5,  L)  for  some  A,  A',  S  and  L,  then 

T  2  {[[5’lJ}n  Pl  fair(l); 

l€L 


•if  P  =  Di  for  some  Y  and  V\,  then 

Vy  €  y(c(y)  is  a  Pi-core  of  T(y))-, 

•  if  D  =  ( Di  Di)  for  some  D\  and  D«,  then 

Vi  E  Di,y  E  pd(Di)(x  is  a  Pi-core  of  y  =»  c{x)  is  a  D2- core  of  T(y)); 
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•  if  P  =  Px  X  •  •  •  x  Pn  for  some  Px, . . . ,  P„,  then 

Vt(c,-  is  a  Vi- core  of  T,), 
where  c  =  (ci, . . . , cn)  and  T  =  (Tx, . . .  ,Tn). 

Definition:  Given  a  core  domain  D,  we  say  that  T  is  V -founded  iff  T  e  pd(P)  and  there  exists  a 
P-core  of  T. 

Note  that  for  any  T  €  p(Qu)  and  action  predicates  A  and  A'  s.t.  A'  C  A,  T  is  C(A,  A')-founded 
iff  T  is  (A,  A') -founded. 


5.2.3  Properties 

We  now  prove  a  very  important  property  of  core  domains. 

Lemma  9  Given  any  core  domain  D ,  _Lp  is  a  D-core  of  furthermore,  for  any  pair  of  chains 

{c,}  in  D  and  {T,}  in  pd(V)  s.t.  |_lj  c,-  exists  and  a  is  a  D-core  ofTi  for  all  i,  we  have  that  LI*  c,-  is 
a  P -core  of  |_Ji  T,- . 


The  second  statement  above  is  depicted  by  the  following  diagram,  in  which  a  thin  vertical  arrow 
from  c  to  T  means  that  c  is  a  P-core  of  T,  and  a  thick  horizontal  arrow  from  x  to  y  means  iCy: 

LI.  Ti 


LU- 


Proof:  By  induction  on  the  structure  of  P. 

Base  step:  For  any  pair  of  action  predicates  A  and  A'  s.t.  A'  C  A  it  is  easily  seen  that  ±C(a  a1)  = 
(<3+>  0)  is  a  C(A,  A')-core  of  Apd(c(A,A'))  =  Qu .  Given  any  pair  of  chains  {c,}  in  C(A,  A')  and  {Ti} 
in  p(Qu)  satisfying  the  above  conditions,  and  letting  c,-  =  (Si,  Li)  for  all  i  we  have  that 

i\Ti = dt*  2  n«Lr^ij}  n  n  *“>(/)) = ium  n  n 

«  *  *  l€Lj  leL 

where  S  =  f),-  S’*  and  L  =  U*  A-  Since  ( S ,  L)  =  LI*  ci>  we  then  have  that  |_l*  ci  is  a  C(A,  A')-core  of 
UiTi- 

Induction  step:  We  give  the  proof  only  for  the  case  that  P  =  (Px  A  V2)  for  some  pair  of  core 
domains  Pj  and  P2.  The  proof  for  the  other  two  cases  is  similar. 

By  the  induction  hypothesis,  for  all  x  €  Px  and  y  €  pd(Px),  ±D(x)  =  _Lp2  is  a  P2-core  of 

-i-pdfp)^)  =  -i-pd(P5)>  hence  Ap  is  a  P- core  of  J- pd(»)-  For  the  second  part,  we  have  for  any  x  e  D\ 
and  y  €  pd(Px)  that 

(V:  :  x  is  a  Px-core  of  y  =>-  c,  (x)  is  a  P2- core  of  T,  (y)) 

(since  c<  is  a  P- core  of  for  all  t)  and  hence,  using  the  induction  hypothesis, 

a:  is  a  Px-core  of  y  =>  (V:  :  c,  (x)  is  a  P2-core  of  T,  (y)) 

=►  U*  c«(z)  is  a  P2-core  of  |_l*  T,(y) 

=►  (U  CiX1)  is  a  P2-core  of  flj,-  Ti)(y). 
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So  Ut-  c,  is  a  (Pi  A  P2)-core  of  LI,-  If.  ■ 

As  a  result  of  the  above,  we  have  the  following  result: 

Theorem  10  Given  any  core  domain  D,  if  F  is  (P  —>  D)-founded,  then  Gx[F)  is  D  -founded. 

Proof:  Let  c  be  a  (P  A  P)-core  of  F.  Furthermore,  let  70  =  _Lp  and  70  =  -Lp£f(p),  7,+i  =  c( 7,) 
311(1  Tf+i  =/W)  for  any  ordinal  t,  and  7,-  =  U/<i7i  and  7J  =  Uj<f  7y  for  any  limit  ordinal  i.  Due 
to  the  continuity  of  c,  7,-  is  well-defined  and  equal  to  7„  for  all  ordinals  i  >  co. 

We  show  by  transfinite  induction  that  7,-  is  a  P-core  of  7-  for  all  ordinals  i.  Base  step:  By  the 
previous  theorem,  70  is  a  P-core  of  7^.  Induction  step:  if  7,-  is  a  P-core  of  7?,  then  since  c  is  a 
(P  A  P)-core  of  F  we  have  that  c( 7,)  =  7,+1  is  a  P-core  of  F( 7?)  =  7?+1.  Furthermore,  for  any 
limit  ordinal  »,  Uj<t-  7 j  exists  and  hence  by  the  previous  theorem  we  have  that  if  7 j  is  a  P-core  of 
7 j  all  j  <  i,  then  7,-  =  |JJ<f  7 ,•  is  a  P-core  of  7?  =  [Jj<t-  7'.. 

Since  we  have  that  fix(F)  —  7'  for  some  ordinal  t,  we  then  have  that  7f  is  a  P-core  of  fix(F).  ■ 

The  definitions  and  results  of  this  section  are  presented  in  a  form  more  general  than  needed  for 
our  immediate  purposes,  so  that  they  may  be  applied  to  programming  languages  other  than  those 
examined  in  this  thesis. 


5.3  The  language  SP 


We  now  turn  our  attention  to  the  languages  SP  used  to  define  sequential  processes  in  the 
previous  chapter.  We  have  already  established  that  S  is  well-defined.  The  question  we  now  address 
is  this:  given  some  P  €  SP  and  action  predicates  A  and  A'  s.t.  A'  C  A,  how  can  we  guarantee  that 
.M[PJ  is  (A,A')-founded? 

In  order  to  do  this,  we  need  the  following  theorem. 

Theorem  11  If 


1.  A  and  A!  are  action  predicates  s.t.  A'  C  A, 

2.  a  and  a1  are  state  relations  s.t.  A  =  {[a]}  and  A'  =  {[o']},  and 

3.  for  1  <  i  <  n,  li  =  (tt,-,  r,)  is  an  A' -admissible  transition  rule, 
then  the  function 

cmd{h,...,ln):p{Q»)n^p{Q“) 

(which  we  abbreviate  as  f)  defined  by 

f(Tu. ..  ,Tn)  =  (LV  0(9(B^a  A  \m])  A  |>f]  A  [T.-J)  V  (D^a  AOffl  -  \/  M)J> 

*=1  i=  l 

for  all  Tu  . . .  ,Tn  €  Q* ,  is  (C(A,A')n  A  C (A,  A')) -founded. 


The  proof  of  the  above  theorem  is  rather  long  and  tedious,  and  may  be  found  in  the  appendix. 
In  the  sequel  we  will  write 

cmd[ei  ->•  ci  |  •  •  •  |  e„  -»•  c„] 
for 

With  this  we  can  now  prove  the  result  we  need: 
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Theorem  12  For  any  pair  of  state  relations  a  and  a f,  and  i?  e  BD  s.t . 

1.  {[a]}  and  {[a*]}  are  action  predicates  and  \=  a*  =>  a,  and 

2.  for  every  command  in  R  of  form  [e  c]  or  [ e  ^  c]  there  exists  some  state  relation  c'  s.t.  \ =  c'  =>  c 
and  ({fe]},  {[c']})  is  {[ a']} -admissible, 

the  trace  set  At  [fa  :  a  :  i?]  is  ({[a]},  {\ a']}) -admissible. 

Proof:  Let  A  =  {[a]}  and  A1  =  {fa']}.  Examining  the  definition  of  M,  we  see  that  At  [a  :  a  :  i?] 
is  (A,  A')-founded  if  Sa[i?J  is  (A,  A')-founded.  Let  BD'  be  the  set  of  elements  of  BD  satisfying 
condition  2.  above;  then  we  see  that  for  any  R '  E  BD',  in  the  recursive  definition  of  SafR]  the 
function  Sa  is  applied  only  to  elements  of  BD',  and  so  we  can  restrict  Sa  to  operate  only  on 
elements  of  BD'  and  still  use  this  recursive  definition.  S0[i2j  is  (A,  A')-founded  if  Sa  thus  restricted 
is  P-founded,  where 

P  =  C(A,A')BD' , 

and  by  by  Theorem  10  this  will  be  so  if  the  function  F:  V  V'  is  (D  A  P)-founded,  where 

D'  =  pd(D)  (=p(Q“)BD') 

and  F  is  the  function  (implicitly  given  by  the  recursive  definition  of  Sa)  s.t.  Sa  =  Sx(F). 

For  all  /  E  V ,  we  define 

.  n/)M  =  M; 

.  P'(/)Iskip;J?]  =  /p]; 

•  A’X/JIabort;  B]  =  {[ttj}; 

•  F'(f)l[e  -4  c] ;  R]  =  cmd|e— ♦  c'J(/|i?J),  where  c'  is  some  state  relation  satisfying  condition 
2.  above; 

•  ^”(/)I[e  c];i2j  =  cmd|e  — *•  c'J(/[i2]),  where  c'  is  some  state  relation  satisfying  condition 
2.  above; 

m  F  (/)I[pi  =  I  ■  *  *  |  Pn  —  Fn  |  i?#];  RJ  =  f\Ru\  .R],  where  Rn  is  obtained  from  RI  by  simul¬ 
taneously  replacing  each  free  instance  of  any  Pi  in  R!  by  ‘[pi  =  Rx  \  •  •  •  |  Pn  —  Rn  | 

•  F(/)b;i?l  =  {LttJ}  if  pe  PN; 

•  ^(/)I[ei 1 —  I  *»-»*.];«!  s 

cmd[ei  null  |  •  •  •  |  en  null] (/[ft;  Rj, . . . ,  /[ft;  £]). 

Using  the  facts  that,  for  any  state  formula  e, 

1.  |=  Office  =>  n^-ie  and 

2.  |=  0(e  A  B  -rn)  A  null  =>  e  A  B  -ia, 
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it  is  straightforward  to  verify  that  F  C  F'.  Then,  since 

T  D  T1  A  T'  is  C(A,  A')-founded  =>  T  is  C{A,  A')-founded 

for  any  T,T'  C  Qu ,  if  F1  is  (P  A  P)-founded  then  so  is  F . 

For  any  e1} . . .  e„  e  EX i  and  cu . . .  cn  e  EX2,  let 

cmdc[ei  ^ci  |  •••  |  e„ -f  c„l 

be  some  (C(A,  A')"  A  C(A,  A'))-core  of 

cmdjei  ->  cj  |  •  •  •  |  e„  -v  cn] 

if  such  exists.  We  define  G:  D  — >  D  by 

•  G(<?)[end]  =  ({[^ol},0); 

•  G(3)Iskip;i?l  = 

•  G{9) [abort;  Rj  =  ({[tt]},0); 

•  *-*  G?)|[[c  A  c];  J2J  =  cmdc [c  — cf](<7  J/i]),  where  c'  is  some  state  relation  satisfying  condition  2. 
above; 

•  *-*(&)  l[e  c\  \  i?]  =  cmdcje  — ♦  c'J  (<7  [#]]),  where  c 1  is  some  state  relation  satisfying  condition  2. 
above; 

•  ^(flf)lfpi  =  R\  |  *  •  •  |  Pn  =  Rn  \  jRJ  =  q\R!* \  JRJ,  where  Rn  is  obtained  from  Rf  by  simulta¬ 
neously  replacing  each  free  instance  of  any  pt-  in  R1  by  ‘[px  =  Rt  |  ■ .  •  |  pn  =  Rn  |  iJ.]5; 

•  G{g)lp-Rj  =  ({[tt]},0)  if  p  e  PN\ 

•  G(0)Hei  — ♦  Ri  |  •  •  •  |  en  -*•  Rn]-,  J?]  = 

cmdcjei  —  null  |  •  •  •  |  en  -*•  null]  (5^;  R],...  ^[f^;  Rj), 

for  all  g:  BD1  *  C(A,A').  Noting  that  ({[e]},  {[null]})  is  A^admissible  for  any  local  formula  e,  we 
see  that  Theorem  11  applies  and  hence  the  appropriate  core  exists  for  every  use  of  cmdc  in  the 
above  definition.  From  this  it  is  straightforward  to  verify  that  G  is  a  (P  A  D)-core  of  F',  and  hence 
F'  is  (P  A  P)-founded.  I 
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Chapter  6 

Conclusion 


6.1  What  have  we  accomplished? 

First  of  all,  we  have  shown  how  the  behavior  of  a  concurrent  system  may  be  described  as 
the  conjunction  of  the  behaviors  of  its  component  agents  and  a  global  constraint  on  the  system 
behavior.  We  presented  a  notation  for  defining  the  behavior  of  some  simple  agents,  and  used  it  to 
give  the  semantics  of  digital  circuits  and  Petri  nets. 

Secondly,  we  have  shown  how  to  give  the  semantics  of  a  more  expressive  class  of  program¬ 
ming  notations:  those  programming  languages  which  describe  the  concurrent  operation  of  a  set  of 
sequential  processes,  each  process  described  by  composing  a  set  of  primitive  commands  using  se¬ 
quential  composition,  IF  statements,  and  recursion.  This  class  includes  languages  which  use  shared 
variables  and  P  and  V  operations,  as  well  as  CSP.  A  specific  contribution  of  this  thesis  has  been 
to  give  a  formal  semantics  for  CSP  augmented  with  the  probe. 

Thirdly,  perhaps  the  major  contribution  of  this  thesis  is  the  method  we  have  presented  for 
showing  that  the  meaning  of  a  program  is  always  a  nonempty  trace  set,  and  that  therefore  it  may 
serve  as  the  basis  for  a  consistent  axiom  set  in  an  axiomatic  semantics.  Furthermore,  the  proof  of 
this  for  each  programming  language  we  examined  was  not  overly  specific  to  the  particular  language, 
but  instead  made  use  of  some  fairly  general  theorems. 

In  addition,  the  technique  of  core  domains  (Chapter  5)  may  be  of  interest  to  other  researchers 
in  program  semantics  who  are  faced  with  the  problem  that  the  objects  of  interest  are  a  subset  Y 
of  a  domain  D,  but  do  not  form  a  subdomain,  although  there  is  reason  to  believe  that  the  least 
fixed-point  of  any  ‘reasonable’  function  on  the  domain  will  belong  to  this  subset. 


6.2  Directions  for  further  research 

An  obvious  next  step  is  to  devise  a  proof  system  for  the  two  languages  examined  in  Chapter  4, 
based  on  the  semantics  we  have  given.  Such  a  proof  system  would  of  course  use  some  form  of 
temporal  logic. 

One  complaint  that  could  be  made  about  the  semantics  given  for  the  two  languages  in  Chapter  4 
is  that  they  are  insufficiently  abstract,  since  the  values  of  variables  internal  to  a  process  are  made 
visible  as  part  of  the  system  state.  This  could  be  remedied  in  two  ways.  The  first  way  is  to  redefine 
S0  so  that  it  has  functionality 

Sa.BD^p{Q^Y, 

where  I  is  the  set  of  possible  internal  states  of  a  process.  Sa  would  then  give  the  future  behavior 
of  a  process  given  its  internal  state  and  the  remainder  of  the  program  it  is  to  execute.  The  second 
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way  is  to  introduce  a  ‘hiding’  operator  which  maps  traces  in  to  traces  in  Q'w,  where  the  states 
q*  G  Q 1  are  the  restrictions  of  the  states  q  e  Q  to  the  set  of  externally  observable  quantities.  Such 
an  operator  would  be  the  analog  of  the  projection  operator  of  trace  theory  [23]. 

A  hiding  operator  would  also  be  of  use  in  giving  the  semantics  of  a  language  in  which  recursion 
could  be  used  at  the  level  of  process  composition.  In  order  to  show  that  the  meaning  of  any  program 
in  such  a  language  is  nonempty,  we  would  need  a  proof  that  the  intersection  operation  is  P-founded 
for  the  appropriate  core  domain  £>,  and  similarly  with  the  hiding  operation.  The  author  already 
has  such  a  proof  for  the  intersection  operation,  based  on  a  modification  of  Theorem  4,  but  not  for 
the  hiding  operation. 
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Appendix  A 

Proof  of  Theorem  11 


The  proof  of  the  following  theorem  is  long  and  tedious.  We  suggest  that  you  get  a  good  night’s 
sleep  before  reading  it. 

Theorem  11  If 


1 .  A  and  A1  are  action  predicates  s.t  A1  C  A, 

2 .  a  and  a'  are  state  relations  s.t  A  =  { \a ]}  and  A!  =  {["a']},  and 
8-  for  1  <  i  <  n,  /t*  =  (tt,-,  rt)  is  an  A! -admissible  transition  rule, 


then  the  function 

cmd(/i,  (Qw)n  — ►  Qw 

(which  we  abbreviate  as  f)  defined  by 


/(Ti, . . . ,  Tn)  =  {[  \/  <>(©( B ->a  A  f ;r,-l )  A  [iil  A  LT<J )  V  ( □  -.a  A  O  ffl “>  V  M)  J} 


t  —  1 


t=l 


for  all  Ti, . . .  ,Tn  e  Q* ,  is  ( C(AiA,)n-^C(A,A,))-founded . 


Proof:  /  is  obviously  a  monotonic  function.  Thus  we  need  only  to  construct  a  (C{A  Af)n  A 
C(A,  A'))-core  for  /. 

For  1  <  *  <  n,  let 

pi  =  {rh*l A  ©(|V|  A 

n 

p  =  U  pi 

3  =  1 

Pi  =  {\\pi]A-^eo\p]A  A-kll) 

3<i 

*'  =  U  H 

J=  1 

Note  that 

l.  |=  □-!>!  vVtiOMl, 
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2-  N  Ml  =>  A i#  □  “'Ml  for  all  i. 

For  any  v  G  Q°°  there  is  at  most  one  choice  of  s,  w  and  i  s.t.  s  £  {[pj.]},  fs(s)  =  is(w)  and  v  =  s-w; 
let  /3(v)  =  s  and  a(t>)  =  w  whenever  such  exist. 

For  Zj  —  Li)  e  C{A,  A')  (1  <  i  <  n)  we  define 

g(Zi,---,Zn)  =  (S,L) 

where 

5  =  {[BC-oA-fpDDuiJp;.^ 

t=l 

L  =  {(JT0,  p)}  U  [J  {  (p<  •  jt, p'i  •  r)  |  (jt,  r)  €  L{ } 

*=i 

n 

^0  =  {fVr^l  A  B(-,a  A-.[pl)]} 

«=1 

(recall  that,  in  general,  V  •  W  =  {  v  •  w  \  fs(v)  =  is(w)  Av  EV  A  w  eW  }  if  V  C  Q+). 

First  we  note  that  for  any  t  £  {[[S']]}  and  for  any  i, 

t  f=  □_>[p]  =>  t  J=  B(->o  A  -i[p]) 

=►  i  e  (L-iffl  A  j> 

=>  A-Wl 

=>  *  i=  (<^mi  =►  \p'i 

=►  «(*)  n  m 

=►  iepJ-df^lJ} 

and  hence 

£  {[->«  a -.[>]]}  u  U^riLr5.-!]}- 

«=i 

Since  the  reverse  inclusion  is  easily  seen  to  hold,  we  then  have  that 

{[\S] J}  =  (ha  A  -|>1  J}  U  U  P'i  ■  {Lr<5<l J}- 

f=i 

Second,  we  show  that  g(Zl} Zn)  €  C(A,  A'): 

1.  Since  each  (jr <,rf)  is  A'-admissible,  so  is  (tt0,  p).  For  any  i  and  £  Li,  (ir,r)  is  A'- 

admissible  and  hence 

(a)  for  all  s  £  pj  •  jt,  letting  r  =  /?(s)  and  s'  =  a(s),  we  have  that 

s  €  p'i  •  jt  =>  s'  €  it 

=>  3 q(s'q  €  r) 

=►  3?(r  •  s'q  £  p'i  •  t) 

=>  e  p'i  •  r); 
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(b)  since  A'  =  {[a']},  where  a'  is  a  state  relation,  we  have  that  s  E  A'  r  ■  s  E  A1  for  all 
r,  a  €  Q+ ,  hence  p[  •  A!  C  A1,  and  so 

{  sq  |  s  E  p'i  •  x  A  sq  €  p{  ■  r  }  =  {  r  •  s'q  \  r  €  p\  A  fe(r)  =  is(s')  A  s'  6  x  A  s'g  G  r  } 

=  Pf  •  {  s'q  |  s'  e  x  A  s'q  e  r  } 
c  p\  •  (A'  U  {[null]}) 

C  A' U  {[null]}. 

Thus  (p\  •  x,p|-  •  t)  is  A'-admissible  for  all  i  and  (x,r)  e  if,  and  so  i  is  a  countable  set  of 
A1- admissible  transition  rules. 

2.  For  any  t  E  safe(i,  A),  using  the  fact  that 

1=  \p\  Aefn-ol  =>  [/»'], 

we  have  that 

t  -.a  V  [p']  V  3i3(x,r)  e  if ([p{  ■  r]  A©[p|-  •  x]) 

and  so 

t  |=  □-,[p]  =>  t|=-iaA-i/? 

=*  tem J> 

*  HOfpfl  =>  *  H=  A 

*  f=  (OfPfl  =>  -,a  V  [p|]  V  3(x,r)  €  i,([p[  •  r]  A0[p|.  •  x])) 

=►  a(t)  [=  --aVnull  v3(x,t-)  €  i,-([r]  A©[x]) 

=>  <»{*)  €  safe(Li,A)  C  {[[5,]]} 

=►  *e^.{Lr^ij}c{Lr5ij>. 

Thus  safe(L,A)  C  {[[-S']]}. 

Third,  we  show  that,  for  any  Tj, . . .  ,T„  C  s.t.  (Sf,  if)  is  a  C(A,  A')-core  of  Tf  for  all »,  (S,  i) 
is  a  C(A,  A')-core  of  f(Tu . . .  ,Tn).  For  any  t  E  {L[-S]J}  n  fliei  fair(/),  there  are  two  cases: 

1.  If  t  |=  □->[p],  then  t  £  /(Ti,. ..  ,Tn),  since 

fl.[5lJ} n  {L°-,MJ} n  Pi  fair(0 

16L 

c  {[-.a  A  -1  [p]  ]}  H  fair(x0 ,  p) 

=  {[□(-.«  A --[p])  A-iD<3>[xolJ} 

=  {[□(-,aA-.[p])  A-.Q$  VWJ} 

i=l 

(using  the  fact  that  |=  m(-iaA-.[p])  =>  ([x0]  <3-  V?=iKD) 

n 

C  {[□—,«  AOffln  VMJ} 
i=l 

C  /(Ti,...,Tn) 
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If  t  |=  OM1  for  801116  *.  then  tep'e  {LF-5.-1J}  and  hence  a(t)  G  {[[S,-]J}.  In  addition,  letting 
r  =  /?(£),  for  all  (?r ,r)  G  £*  we  have 


1=  n$\x] 


=> 

=» 


{  s  <  a(t)  I  s  G  JT }  is  infinite 
{  a'  <  t  |  s'  e  •  7T  }  is  infinite 
{  s'q  <  t  \  s'  <E  p[  ■  w  A  s'q  G  p\ [  •  r  }  is  infinite 
(using  the  fact  that  t  G  fair(p'-  •■n,p'i-  r)) 
{r-sg|r-sg<tAsG7rAsgGr}is  infinite 
{  sg  <  a(t)  |sG7rAsgGr}is  infinite 
a(t)  |=  □  <£(!>!  A ©[tt]) 


and  hence  a(t)  G  fair(7r,r).  Since  (S,-,Lt)  is  a  C(A,A')- core  of  T,-,  this  means  that  o:(t)  G  T,-, 
and  hence  t  €  />{ •  •  T,-.  Then  t  €  /(Ti, . . . ,  T„),  since 

tep'rTi  =>  t  G  {[0(U1  A  LT,-J)J} 

=>  *  €  (LO(©( B--a  A  M)  A  ff»l  A  [T,J )J} 

^  ^  ^  /(^lj  •  •  •  >  Tn) 

Thus  {[ [Si  J}  n  niei  fair(l)  C  f(Tu . . . ,  T„). 


Finally,  we  must  show  that  g  is  continuous.  It  is  easily  seen  that  it  is  monotonic  by  examining 
the  definitions.  We  will  show  that  it  is  continuous  in  each  argument. 

Let  1  <  i  <  n  and  let  {  Zijk  \  k  G  N}  be  a  chain  in  C{A,A'),  where  Zi>k  =  (Sitk,Liik)  for  all 
k.  First,  note  that  Hi  [p'i  •  &i,k)  —  p\  *  Proof:  We  show  that  the  two  sets  are  subsets 

of  each  other.  From  the  monotonicity  of  the  •  operator  on  p(Q+)  we  have  immediately  that 
Pi '  (fl*  Si,k)  Q  C\k{p'i  ’  si,k)-  The  reverse  inclusion  also  holds,  since  for  all  s, 


8  €  flW'  ■  Si.k) 

k 


Vfc(3r  <  s(r  G  p'i)  A  a(s)  G  Sf,*) 

3r  <  s(r  G  p'i)  A  VA(a(s)  G  Si>k) 
a  e  Pi  •  «>.,*)• 


Letting  (S,L)  =  g(Zu...,UkZitk,...,Zn),  ( S',L ')  =  \Jk9(Zi,.. 
(si,  Lj )  for  all  j,  we  show  that  (S,L)  =  (S',L'),  as  follows: 

Let  V  =  {[B  (is  A  -i  [/?])]}  U  Uy^i  p'j  •  Sy;  then 


Ziik,...,Zn)  and  £,•  = 


s  =  vupHfR*) 

k 

=  VuCipt-Su 

k 

=  0(VU  p'i.  Si, k) 

k 

=  s'. 


Let  M  =  {(3T0,p)}  U  Uyj«{  {p\  •  x,p\  •  r)  |  (jr,r)  G  Ly  };  then 

L  =  MU  {  (pj-  •  7r,p[  •  r)  |  G  (jLjjt  } 

k 
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=  M'J\J{{Pr‘^,Pr'r)  I  {n,r)eLiik} 

k 

=  (J(Af  U  {  (/>{  •  %,  p\  •  t)  |  (jt,  t)  €  Liik  }) 

k 

-  L». 

Thus  we  have  shown  that  is  a  (C(A,  A')"  A  C(A,  A') )-core  of  /.  ■ 
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